Re: CERTificates and public keys

[Roy Arends <Roy.Arends@nominum.com>]

On Fri, 7 Sep 2001, Havard Eidnes wrote:

> > > 1. I would strongly prefer to have all the random
> > > 	keys that are *not* part of the DNS
> > > 	infrastructure end up in a single place.
> >
> > i too.  outside the dns.  why not put them in the aim member
> > directory?  why always the dns?
>
> I have never quite fathomed why some seem to have an ingrained fear of
> adding more data to the DNS.

Not the "more" fact, but the "different" fact could be problematic. Every
unique single lookup starts at root. Consider the load of bogus that is
already hitting the root-servers. Deployment of different data (other
classes/new types) should be carefully considered in such that it under no
circumstances breaks the scale. With scale I mean the current growing
scale of new data of the same type that root could handle.

> I can however understand why DNS with DNSSEC is an attractive mechism
> -- why should one have to reinvent a new protocol which will need to
> more or less duplicate DNS' functionality?

We shouldn't if it duplicates functionality. Not invented here syndrome
and all that jazz.

> Would you care to explain why this is problematical?
>
> I would think that
>
> 1) the growth of the size of the data would all be at the edges
>    (authoritative servers) or felt at the edges (recursive servers),
>    where resources can relatively easily be scaled up to handle the
>    added demand.

Growth of the size of data is felt at the root first. If it can be scaled
at root, the branches should have no problem.

> 2) making more services depend on the DNS would perhaps make people
>    put more attention to their DNS setups' performance, correctness
>    and resiliency (one can always hope...)

That is a not an arguement. Vice-versa. More services within the DNS will
lead to even more ill-configured, broken setups.

Roy Arends
Nominum
-------------
0-14-023750-X dcrpt ths 43.0D.01 01.05.0C 84.18.03 8A.13.04 2D.0B.0A