Noel Chiappa wrote:
> From: Brian Dickson <briand@ca.afilias.info>
> If the EID->RLOC mappings are done in DNS ... the tree can be walked to
> fully populate the entire set of EID->RLOC mappings.
That's not a very efficient way to give everyone a copy of the table of
bindings, in advance. If we want to operate in that mode (and there are
doubters, see the previous conversation betwen Tony and, Yakov, I think it
was), there are much better ways to do that.
There's two distinct things: 1) how to *publish* the data; 2) how to *serve* the dataBoth need to be secure to be trustworthy. But they do not need to be the same.
For example, one or more secured servers, walking the tree (which is dnssec-signed), and then publishing the mapping table suitable for fast queries/responses, or pushed to whoever wants the full table.
Having the publishing of data being directly under end-site control, IMHO, is an operational must.
Having the data serving stuff done some other way, is an optimization.(The issue of trust, is not limited to the query/answer stuff; it also has to handle cross-jurisdictional, third-party, and contractual transitive-ness types of requirements. If I can't sue you, I'm not going
to trust you to do something for me.) Brian Dickson -- to unsubscribe send a message to rrg-request@psg.com with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg