[Hipsec-rg] reverse DNS lookups of HITs

shengjiang at huawei.com (JiangSheng 66104) Tue, 13 January 2009 10:21 UTC

From: "shengjiang at huawei.com"
Date: Tue, 13 Jan 2009 18:21:43 +0800
Subject: [Hipsec-rg] reverse DNS lookups of HITs
Message-ID: <f808bd0c3515b.3515bf808bd0c@huawei.com>

> > > I see how one could technically build such a name server, but I'm
> > > wondering about the scalability of it and how it would
> > operationally be
> > > deployed.
> >
> > I guess one modern server could keep like ten million records
> > in RAM? How
> > many base exchanges can it do per second? Reverse DNS updates
> > are rare
> > anyway.
> >
> > When HIP gets widely deployed and there are millions of
> > users, we might
> > hope to use more resources :)
> >
> 
> This type of question is precisely what this research group's primary
> charter is to answer, in my opinion.  What are the consequences of
> deploying HIP on a large scale in the Internet?  If it means that we
> will have a few root servers handling reverse DNS queries for all hosts,
> without any aggregation, how will that architecture scale, and how will
> the deployment incentives work?  Or, if that turns out to be a bad idea,
> what are the practical alternatives that allow someone to write
> domain-name-based ACLs?

This is exactly where we need hierarchical HIT for. (See http://tools.ietf.org/id/draft-jiang-hiprg-hhit-arch-01.txt.) The aggregation of Hierarchical HIT proposal can help to organize HITs in the large scale deployment and improve looking-up efficiency in either mapping system (such as DNS, or DHT, etc.) or ACL. This proposal is also compatible with the flat-structured HIT architecture, which can meet the requirement of privacy.

Regards,

Sheng Jiang