Noel Chiappa wrote in <20180624131458.6E96518C082(a)mercury.lcs.mit.edu>:
|> On 06/23/2018 04:38 PM, Steffen Nurpmeso wrote:
|
|> Others like DNS are pretty perfect and scale fantastic.
|
|It's perhaps worth noting that today's DNS is somewhat different from the
|original; some fairly substantial changes were made early on (although \
|maybe
|it was just in the security, I don't quite recall).
No.. not that i know?
|(The details escape me at this point, but at one point I did a detailed \
|study
|of DNS, and DNS security, for writing the security architecture document \
|for
|the resolution system in LISP - the networking one, not the language.)
It is basically still the same that Mockapetris designed, or it
was like this in 2004..2005 at least. We have seen many new types
and extensions and clarifications (many early after the DNS RFCs
1035+ were published, for example RFC 1122, "Requirements for
Internet Hosts -- Communication Layers"), like EDNS to extend the
DGRAM packet size and such, and then luckily someone from the IETF
really waved through transport layer security for DNS, via TCP and
also via DTLS, which made me really happy. (RFC 8310, and 7858
(TCP) and 8094 (UDP).) There were a lot of RFCs regarding zone
transfer, i have to admit that i never read those, as i never had
anything to do with the server side of DNS.
But the DNS concept by itself scales still and is unchanged?!?
I would expect that in the future more and more software becomes
capable to follow chains of trust from zone to zone upwards, so
that individual zones can use zone-specific TLS certificates,
signed only by zones higher up the layer... or a member of the CA
pool, the root zone is pretty much U.S.A., which is possibly a bit
unfair.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)