spf-discuss
[Top] [All Lists]

[spf-discuss] Re: Fwd: Automatic key verification / CERT in DNS / RFC4398

2006-04-06 11:28:05
At 12:59 PM +0200 2006-04-06, Werner Koch wrote:

        Yeah, but that's probably 31.999999999999999999999999999 more
 bytes than you're storing in the DNS today (per user), and with tens
 of millions of users in a single flat zone, all that adds up really
 fast.

 Please name another reliable directory service.  LDAP is far too heavy
 and thus I believe DNS can be made workable for such goals much
 easier.

DNS is designed to be distributed, and to handle failures through replication, redundancy, and caching.

 Do you think splitting the zones up in say  us.e.r._pka.example.net
 would be helpful?

Putting the zones in a hierarchy will certainly help. That way you don't have to change and reload an entire zone with millions of users, each time that a single modification has to be made.

However, I would be careful in choosing a particular hashing scheme that will be set in stone -- what is sustainable for a small site will be totally inappropriate for a large site.

 And here we know that it works.  Consider all the people using
 webmailers or POP3.  No problem at all to serve millions of users.

Remember what kind of load it added to your web server when you switched everything over to SSL, and didn't allow any non-SSL connections? Or what happened when you switched everyone over to POP3S or IMAPS exclusively, and didn't allow any unencrypted POP3 or IMAP connections? You know those crypto accelerator cards that you had to add to all your webservers to support high levels of SSL usage?

This is going to be orders of magnitude worse, since those uses of encryption are on a per-connection basis, and not per-message.

--
Brad Knowles, <brad(_at_)stop(_dot_)mail-abuse(_dot_)org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

 LOPSA member since December 2005.  See <http://www.lopsa.org/>.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com