On Aug 3, 2005, at 2:03 AM, Tony Finch wrote:
I think this will be less of a problem than you might expect
experience and evidence is at the tens of thousands of users level
than the millions of users level).
In the limit (no cache hits), the volume of DNS cache space used by
keys will scale with the volume of email processed by the site,
hope that DNS caches will provide some benefit so the cache space used
will be less than this. In practice this benefit is surprisingly small
because of the very heavy tail on the distribution of domains - I
present tense because this is true now for the DNS lookups
current MTAs in response to incoming email, e.g. sender domain
verification. We're already close to at least one non-repeated
message. DKIM probably won't make it much worse even with per-user
and the damage can be mitigated by low TTLs.
The following paper is very relevant to this. Its conclusion is
DNS is scalable because of the cacheing of NS records. Leaf record
cacheing (they talk about A records looked up by clients, but the same
would be true for email-driven lookups - MXs and DKKs) provides
benefit. The corollary is that increasing the load on the leafs is
attack on the foundations of DNS's scalability.
While there has been HTTP domain growth, as this paper indicates,
such domain use is not evenly distributed in use (heavy tail).
Should user-keys become widely deployed, perhaps to support
applications like OpenPGP or S/MIME, where the desire would be to
offer such keys to each and every user, this would create a broad
distribution of use. This may create several orders of growth in the
amount of data placed into the DNS cache. DNS cache represents a
limited resource. With already a quarter of DNS responses being
dropped, adding more UDP traffic will not improve upon this figure
either. At what point will DNS become unstable? This paper suggests
that 10 minute TTLs on A records would not represent a problem. Keys
however represent about 2 orders more DNS cache resource and
potentially in much greater numbers than domain names for locating
I think there should be a study that attempts to project the impact
of a worst case scenario where DKIM user-keys become popular for uses
beyond being delegated to just ad agencies and mobile users.