On Aug 28, 2013, at 8:34 AM, Perry E. Metzger wrote:

> On Tue, 27 Aug 2013 23:39:51 -0400 Jerry Leichter <leich...@lrw.com>
> wrote:
>> It's not as if this isn't a design we have that we know works:
>> DNS.
Read what I said:  There's a *design* that works.

I never suggested *using DNS* - either its current physical instantiation, or 
even necessarily the raw code.  In fact, I pointed out some of the very 
problems you mention.

What defines the DNS model - and is in contrast to the DHT model - is:

- Two basic classes of participants, those that track potentially large amounts 
of data and respond to queries and those that simply cache for local use;
- Caching of responses for authoritative-holder-limited amounts of time to 
avoid re-querying;
- A hierarchical namespace and a corresponding hierarchy of caches.

DNS and DNSSEC as implemented assume a single hierarchy, and they map the 
hierarchy to authority.  These features are undesirable and should be avoided.

                                                        -- Jerry

The cryptography mailing list

Reply via email to