Andrew Newton wrote:
On Jul 27, 2005, at 8:14 PM, Douglas Otis wrote:
Due to the above average resources consumed by public keys, the
number of separate keys should be kept proportional to what is
required to authenticate physical sources within the domain.
Excessive quantities of these public keys in DNS, when employed by an
application as ubiquitous as email, may negatively impact DNS
performance and stability.
This is good, except "resources" may be too generic. I was
specifically noting the memory footprint. I don't believe CPU overhead
or bandwidth utilization directly impacts the cache, though these may
impact the system. I would recommend swapping out "resources" for
Instead of hand-wringing here, it would be nice ot know whether this
is a real problem or not. I had a lot of the same fears, but Mark
produced some stats from Y!'s mail server's use of DNS which showed
this to be essentially a non-problem(*) -- and Y! is certainly going to
be as a worst a case scenario as I can think of. If Mark's experience
turns out to be the norm, either we should say nothing, or mention
that the worry here turns out to be a non-issue.
[*] if I recall correctly, he said that their dns cache for their
mail servers outbound was ~20k entries. Even 4-5x more seems
pretty insignificant given cheap memory, etc.