On Mar 4, 2005, at 9:21 AM, Mark Baugher wrote:
Revocation schemes that scale up to the numbers we are discussing
typically don't attempt to mirror the DNS nor require large server
farms
Let's say Yahoo has 40 million email accounts (that's probably pretty
high) and has to revoke 10%. That's 4 million A records. I know of
several small organizations that support twice that much DNS info just
using stock BIND. Plus this assumes that all 10% are revoked with in
the same active key period. Once the signing key has been removed from
DNS, there is no need for the corresponding A records as well.
-andy