David Conrad <david.conrad@nominum.com> writes:
> Why do you think the roots and TLDs would get millions of TCP queries for
> their certs? Why would anyone want to get the certs of the roots or tlds?
Just to play devil's advocate, if a resolver was going to track a
signature chain all the way back up, it's going to have to request the
KEY/SIG records for all the parent domains all the way back to the
root. In other words, resolvers all over the world are going to make
requests to verify the KEY of, e.g. .COM. So, yes, there may be
millions of requests to the root servers for KEY/SIG records in order
to verify the leaf KEY/SIG record chains.
Hopefully caching will help, but the traffic for "COM. IN SIG" is
going to be a fairly popular DNSSec request, IMHO.
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com
