At 10:27 PM 6/7/2002 -0400, Valdis.Kletnieks@VT.EDU wrote: >2) DNS has to be *FAST*, especially at the root - we're talking on the >order of 200K queries a *SECOND*. You figure out how to do that while >also tossing certificates around, let us know... I must be missing something. As far as I know, the root would not be distributing any certificates other than its own. The root would do its 20K/second/server identification of where the .com/.uk/.se/.whatever servers are just as it does now, and those servers would in turn do the example.com/etc service they do now, and example.com would reply with its key or cert. The issue would be the signatures on the keys/certs. In DNSSEC, the TLD is also an authority (registration or certificate, perhaps both), and has to sign a bazillion certificates.