[Hipsec-rg] reverse DNS lookups of HITs

[thomas.r.henderson at boeing.com (Henderson, Thomas R)]

 

> -----Original Message-----
> From: Oleg Ponomarev [mailto:oleg.ponomarev at hiit.fi] 
> Sent: Monday, January 12, 2009 12:39 PM
> To: Henderson, Thomas R
> Cc: hipsec-rg at listserv.cybertrust.com
> Subject: Re: [Hipsec-rg] reverse DNS lookups of HITs
> 
> Hi! On Mon, 12 Jan 2009, Henderson, Thomas R wrote:
> 
> > Yes, but how do you delegate below that top level?
> >
> > If I am a HIP user, and I generate a key for myself, how do 
> I register
> > it with A.OUR-SERVERS.NET.?  Do they have an open policy 
> and let just
> > anyone in the Internet add a record for themselves?
> 
> I would say yes. If there is a DoS attack, give puzzles.
> 
> > I see how one could technically build such a name server, but I'm
> > wondering about the scalability of it and how it would 
> operationally be
> > deployed.
> 
> I guess one modern server could keep like ten million records 
> in RAM? How 
> many base exchanges can it do per second? Reverse DNS updates 
> are rare 
> anyway.
> 
> When HIP gets widely deployed and there are millions of 
> users, we might 
> hope to use more resources :)
> 

This type of question is precisely what this research group's primary
charter is to answer, in my opinion.  What are the consequences of
deploying HIP on a large scale in the Internet?  If it means that we
will have a few root servers handling reverse DNS queries for all hosts,
without any aggregation, how will that architecture scale, and how will
the deployment incentives work?  Or, if that turns out to be a bad idea,
what are the practical alternatives that allow someone to write
domain-name-based ACLs?  

I think it would be great to gather more input on these types of
deployment questions.

- Tom