At 10:27 PM 6/7/2002 -0400, [EMAIL PROTECTED] wrote: >2) DNS has to be *FAST*, especially at the root - we're talking on the >order of 200K queries a *SECOND*. You figure out how to do that while >also tossing certificates around, let us know...
I must be missing something. As far as I know, the root would not be distributing any certificates other than its own. The root would do its 20K/second/server identification of where the .com/.uk/.se/.whatever servers are just as it does now, and those servers would in turn do the example.com/etc service they do now, and example.com would reply with its key or cert. The issue would be the signatures on the keys/certs. In DNSSEC, the TLD is also an authority (registration or certificate, perhaps both), and has to sign a bazillion certificates. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]