From: "Perry E. Metzger" <perry@panix.com>
Date: Sat, 12 Aug 95 05:35:08 PDT
To: trei@process.com
Subject: Re: IPSEC goes to RFC
In-Reply-To: <9508111351.AA04381@toad.com>
Message-ID: <199508121234.IAA03887@panix4.panix.com>
MIME-Version: 1.0
Content-Type: text/plain



"Peter Trei" writes:
> Don Eastlake has actually done a draft RFC on
> using the DNS for key distribution.

Its more than a draft -- at this point it is very clearly standards
track. Note that the document in question only covers security for the
DNS itself, but the side effect is that you've built all the
mechanisms you need for general key distribution. Don is now working
on the certificate formats.

> It may be found at 
> 
> ftp://ietf.cnri.reston.va.us/internet-drafts/draft-ietf-dnssec-secext-04.txt
> 
> He briefed the W3C security working group about
> this recently, and a number of people raised objections, notably
> 
> * database bloat
> * zone transfer bloat
> * increased hits on root servers due to a new class of inquiry.

As I've noted, given the actual in-field experience of Hesiod, I'm not
in the least worried.

.pm