--- "william(at)elan.net" <william(_at_)elan(_dot_)net> wrote:
It is in fact that design that makes putting public key in dns an issue.
The designers did not really see DNS as appropriate for that kind of work.
But why don't you ask designers yourself - namedroppers is the place.
Well, I don't know about namedroppers, but Paul Mockapetris seems quite
comfortable with extending DNS in surprising ways, such as ENUM where all 4
billion phone numbers are in the DNS, or RFID, where every RFID tag is in the
DNS.
This narrowly defined notion of "appropriate" DNS usage is akin to those who
insist that email was only designed for text and sending attachments is
"inappropriate" and risks destroying the email infrastructure.
What such naysayers don't want to accept is the fact that using a technology in
novel ways is a measure of its success, not a cause for concern.
I might add that experience suggests that the DNS infrastructure is amazingly
resilient and has survived all sorts of "abuse" that namedroppers never
anticipated or wanted. How so?
Think RBLs. People have deployed and queried RBL services without bothering to
get the sanction of namedroppers - they didn't create an appropriate new RR,
rather they "abused" A RRs. They also started with zero queries per day, and
rapidly rose to perhaps billions per day. Surprise surprise, the global DNS did
not collapse.
Think reverse lookup load. We have turned on and off reverse look-ups on our
inbound email at various times over the last 4-5 five years. That's a net
change of billions of largely uncachable DNS queries per day. Did anyone
notice? Not that I heard. Did the sky fall in? Not that I noticed.
Think size of responses. At various times, for operational reasons, the MX for
yahoo.com has returned a large list of A records that are very close to the
maximum size response that fits in a UDP packet. At other times - such as now -
it returns a relatively small list of A records. I know the same has been true
of other large MX targets, such as AOL and Hotmail. In aggregate, these three
sites probably represent a substantial proportion of cached MX entries. Did the
caches fry when we made changes? Not that anyone noticed.
Think call-back SMTP. I know a number of widely used products and large ISPs
woke up one day and started doing SMTP call-backs to try and verify MAIL FROM
addresses. Did anyone notice the extra millions of MX lookups when they turned
the switch on? Not that I heard.
The simple fact of the matter is that the global DNS has proven to be
resilient, flexible and scalable time and time again. That email is a small and
diminishing part of Internet traffic is also an important observation.
Consequently, to suggest that the global DNS is a fragile beast and any novel
use by email needs sanction from namedroppers, for fear that the sky will fall
in, might make namedroppers feel important, and it might be PC, but it's not
even close to being a deployment necessity or imperative.
Mark.