Excellent.
Let me add that TXT records are specified in the DNS documents. I didn't
invent that, they did. DNS *intends* their use (or they wouldn't be part of
the specs) and does not prohibit their content from containing our keys.
Such use _does not_ constitute "abuse" by any stretch.
--
Arvel
----- Original Message -----
From: <domainkeys-feedbackbase02(_at_)yahoo(_dot_)com>
To: <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 11:50 PM
Subject: Re: revised Proposed Charter
--- "william(at)elan.net" <william(_at_)elan(_dot_)net> wrote:
It is in fact that design that makes putting public key in dns an issue.
The designers did not really see DNS as appropriate for that kind of
work.
But why don't you ask designers yourself - namedroppers is the place.
Well, I don't know about namedroppers, but Paul Mockapetris seems quite
comfortable with extending DNS in surprising ways, such as ENUM where all
4
billion phone numbers are in the DNS, or RFID, where every RFID tag is in
the
DNS.
This narrowly defined notion of "appropriate" DNS usage is akin to those
who
insist that email was only designed for text and sending attachments is
"inappropriate" and risks destroying the email infrastructure.
What such naysayers don't want to accept is the fact that using a
technology in
novel ways is a measure of its success, not a cause for concern.
I might add that experience suggests that the DNS infrastructure is
amazingly
resilient and has survived all sorts of "abuse" that namedroppers never
anticipated or wanted. How so?
Think RBLs. People have deployed and queried RBL services without
bothering to
get the sanction of namedroppers - they didn't create an appropriate new
RR,
rather they "abused" A RRs. They also started with zero queries per day,
and
rapidly rose to perhaps billions per day. Surprise surprise, the global
DNS did
not collapse.
Think reverse lookup load. We have turned on and off reverse look-ups on
our
inbound email at various times over the last 4-5 five years. That's a net
change of billions of largely uncachable DNS queries per day. Did anyone
notice? Not that I heard. Did the sky fall in? Not that I noticed.
Think size of responses. At various times, for operational reasons, the MX
for
yahoo.com has returned a large list of A records that are very close to
the
maximum size response that fits in a UDP packet. At other times - such as
now -
it returns a relatively small list of A records. I know the same has been
true
of other large MX targets, such as AOL and Hotmail. In aggregate, these
three
sites probably represent a substantial proportion of cached MX entries.
Did the
caches fry when we made changes? Not that anyone noticed.
Think call-back SMTP. I know a number of widely used products and large
ISPs
woke up one day and started doing SMTP call-backs to try and verify MAIL
FROM
addresses. Did anyone notice the extra millions of MX lookups when they
turned
the switch on? Not that I heard.
The simple fact of the matter is that the global DNS has proven to be
resilient, flexible and scalable time and time again. That email is a
small and
diminishing part of Internet traffic is also an important observation.
Consequently, to suggest that the global DNS is a fragile beast and any
novel
use by email needs sanction from namedroppers, for fear that the sky will
fall
in, might make namedroppers feel important, and it might be PC, but it's
not
even close to being a deployment necessity or imperative.
Mark.