Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(Please respect Reply-To)

"Eric A. Hall" <ehall@ehsco.com> writes:

> on 6/8/2002 8:54 PM Simon Josefsson said the following:
>
>> Despite the FUD presented by certain individuals that doesn't want
>> keys/certs in DNS, people have already tarted doing it and it works
>> fine.
>
> Setting aside the issue of whether or not people are spreading FUD,

I still wish a technical analysis of the consequences would be
performed by those who are critical...  Not using a protocol because
using it increases message sizes and round trips compared with not
using the protocol isn't a very convincing argument.

> perhaps you could tell us about your setup.

I am afraid that will require a shameless plug of my master thesis
(you asked for it! :-)):

http://josefsson.org/master-thesis/

Most answers to your questions can be found in it, but I'll continue
answering your questions specifically:

> How homogenous were the applications and operating systems that
> requested the certs?

Applications were all written in C, altough parsing of responses was
done in Lisp in one application.  OSes was Win2k, GNU/Linux and
Solaris.

> What resolver calls did you use?

One application used the "dig" application and another used
getcertinfo() (I'm not sure OpenBSD ended up with that resolver API
though, but that was a proposed solution back then).

> What other RRs were bound to the owner names?

None, just one or more CERT RRs.

> How many delegation entries did you provide along with the data and
> what was the message size without the certs?

Not many, number and sizes was similar to what you normally find on
the net.

> How big were the certs?

.5-2kb.

> Did any of the lookups overflow, and did everything support TCP
> fallback?

Yes.  Practically all lookups overflow if DNSSEC is used so this
shouldn't surprise anyone. (Try "dig www.josefsson.org a +dnssec".)

TCP (and perhaps also EDNS.0) should probably be a requirement for
those applications and servers that wants to use application keys in
DNS.

> and finally, do you think that the answers will be the same for all
> nodes across the global namespace?

No, there are other operating systems, programming languages, resolver
APIs, other RR owner name setups, different number of delegation
entries, and cert sizes than the ones I tried.

As for all nodes across the global namespace supports TCP fallback, I
would agree with you that they don't, but I would not see how it is
relevant.  Such software would not see this kind of data unless a user
of the server tried to use this stuff, and in that case I don't see
why that user couldn't upgrade her own software to get it to work.  If
users wants IPv6 they install IPv6, they (usually) don't complain that
IPv6 is broken since their IPv4 router doesn't support it.


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]