[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)

To: "Tom Gindin" <tgindin@xxxxxxxxxx>, "Russ Housley" <housley@xxxxxxxxxxxx>
Subject: RE: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
From: "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>
Date: Wed, 12 Oct 2005 19:23:20 -0700
Cc: <ietf-pkix@xxxxxxx>, <simon@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcXPhxBGZ1gNKPvpTcWuwqYTEn+ixAACab6g
Thread-topic: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)

While storing certificates in the DNS makes sense in some applications I
would be concerned if this proposal was intended to make DNS the
recommended storage mechanism.

The problem is that the original DNS protocol has a hard wired limit of
512 bytes for a UDP packet after which it falls back to TCPIP. This
limitation has been eased in part by the DNSEXT work but the maximum UDP
packet size is still effectively limited by the Ethernet MTA in most
real world applications. If the application falls back to TCP it is much
simpler, cleaner and more effective to simply use HTTP which is designed
as a TCPIP protocol.

In theory DNSEXT is deployed and TCPIP fallback for DNS works fine. The
practice is very different. The DNSEXT group has a habbit of faith based
deployment, i.e. if they declare the protocol deployed it is deployed.

There are certainly cases where storing a cert in the DNS is useful but
it is important that the limitations of this approach be understood and
that it does not become another architectural fiat from the DNSEXT
group.
 

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx 
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Tom Gindin
> Sent: Wednesday, October 12, 2005 6:39 PM
> To: Russ Housley
> Cc: ietf-pkix@xxxxxxx; simon@xxxxxxxxxxxxx
> Subject: Re: Storing Certificates in the DNS 
> (draft-ietf-dnsext-rfc2538bis-08)
> 
> 
>         Russ:
> 
>         Are there any guidelines for CRL owner names, since 
> they're covered in the draft although DNS distribution points 
> aren't detailed in RFC 3280?  If there aren't any, IMHO a 
> reasonable rule would be that if any sequence member of the 
> distribution point name is a domain name (not a URI), that 
> should be used.  Also (and lower in precedence), if any 
> sequence member of the distribution point name is an RFC 822 
> address, its standard translation should be used.  I doubt if 
> URI's will work without conflicts.
>         I don't know if these count as "concerns". 
> 
>                 Tom Gindin
> P.S.    The opinions above are mine, and not necessarily those of my 
> employer.
> 
> 
>

Prev by Date: eBay Safe Department Notice
Next by Date: RE: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
Previous by thread: Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
Next by thread: RE: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
Index(es):
- Date
- Thread