On Fri, 1 Oct 2004 domainkeys-feedbackbase01(_at_)yahoo(_dot_)com wrote:
That entirely depends on whether you want to be pragmatic or
idealistic. As far as I can tell, changes to DNS are glacial at best. In
the very best of circumstances, a new DNS type takes at least five and
more likely ten years before it can be safely assumed to have
wide-spread support.
I do not believe its as much of a problem. Assigning of new type takes
couple months. In majority of DNS servers the new types are supported
just by numbers and program can be written fairly quickly that would
convert data structure of this type into pure binary RDATA for use by
those servers.
The use of unknown type is supported by majority of resolvers again
a conversion library can be used on the side of the program using
this type to understand its actual structure.
I would also note that since we're desiging something to be used for MTAs
we have to account that deployment would be done at the same machines.
The only real problem with new dns type seems to come from windows sytems.
but 80% or more of mail servers are run on unix machines (I don't know
the actual numbers, it may be even highier by 10 percentage points). For
DNS Servers, the use of unix systems is well above 95%.
Also as has been found windows dns resolvers can support new dns type with
some extra custom code - but there is a problem when windows-based dns
proxy/firewall is involved - however you really can't put public internet
mail server under such firewall so while business do use it for end-user
machines in the same configuration mail server usually stays outside of
the firewall setup.
So I do believe that even initially those that can't use new type would
account for less then 5% of installed base of mail server systems.
By saying that TXT is inappropriate you are effectively saying that any
solution that uses the DNS is 5-10 years from practical deployment.
You're greatly greatly overestimating the problem with new dns types.
I believe practical deployment with new dns would either not result in
increase of deployment time at all or may increase it by no more then
25% (maybe one year if you want concrete number).
In effect the DNS folk are a classic chicken and egg problem. Even relatively
non-controversial changes like EDNS0 which was promulgated in 1999 have
stillto achieve wide-spread support, some 5 years later.
The reasons for ENDS0 slow deployment have nothing to do with new dns type
but have to do with necessary changes to core of some dns srevers and
resolvers to support it.
If it can't fit into a DNS packet, I actually favor an ESMTP extension
2048bit keys can fit in UDP DNS replies. Do you want more than that?
I think 1024bit keys are enough and we may be even be ok with 512bits.
There is no necessity for very strong encryption for short-term signatures
and stronger encryption would result is considerable cpu costs of
deploying the solution.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/