To:
Derek Atkins <derek@ihtfp.com>
cc:
Key Distribution <keydist@cafax.se>
From:
Mats Dufberg <dufberg@telia.net>
Date:
Fri, 14 Jun 2002 21:57:29 +0200 (CEST)
In-Reply-To:
<sjm1ybd9sdd.fsf@kikki.mit.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
On Jun 11, 2002, 21:51 (-0400) Derek Atkins <derek@ihtfp.com> wrote: > > Why do you think the roots and TLDs would get millions of TCP queries for > > their certs? Why would anyone want to get the certs of the roots or tlds? > > Just to play devil's advocate, if a resolver was going to track a > signature chain all the way back up, it's going to have to request the > KEY/SIG records for all the parent domains all the way back to the > root. In other words, resolvers all over the world are going to make > requests to verify the KEY of, e.g. .COM. So, yes, there may be > millions of requests to the root servers for KEY/SIG records in order > to verify the leaf KEY/SIG record chains. > > Hopefully caching will help, but the traffic for "COM. IN SIG" is > going to be a fairly popular DNSSec request, IMHO. I see no reason why the root servers would TCP requests just because someone is requesting "www.namn.se. CERT ?" unless the resolver is broken. Aren't we talking about normal DNS resolving where TCP queries appears after a UDP response with TC (truncated) flag has been received? Mats ---------------------------------------------------------------------- Mats Dufberg Registry TeliaNet dufberg@telia.net Skanova/AO Networks +46 8 456 7274 Box 10707 +46 70 258 2588 SE-121 29 Stockholm ----------------------------------------------------------------------