There's a simple reason why the DNS isn't suitable as a PKI, and it has nothing to do with transitivity of trust, and nothing to do with DNS packet size limitations, or root server workloads. It is that DNS admins did not sign on for the job of authenticating anything (with the possible exception of the DNS itself). That's not what they do, and for most DNS admins & operators isn't something they have any interest in doing. All it would have is one DNS admin somewhere in the path that counts to say "get lost" when asked for some appropriate certificate, and the whole model breaks. Just let the PKI stuff be done by those interested in certifying who is what, why, and perhaps where, and when, and leave us DNS types alone. kre