In message <B927B8AE(_dot_)C5DC%david(_dot_)conrad(_at_)nominum(_dot_)com>,
David Conrad writes:
On 6/8/02 6:22 AM, "Steven M. Bellovin"
DNS packets are limited to 512 bytes.
No they are not. They are limited to 64K. Even without EDNS0, a large
response can fall back to TCP. You know this.
I was excluding EDNS0, since I thought it wasn't widely implemented. TCP
fallback is, as you are painfully well aware, expensive.
Few MTUs are larger than 1500.
What is the average size of a CERT (honest question, I have no idea)?
Good question -- and I don't think there's any one answer.
Anyway -- the concept is called "appkeys", and has been discussed in
the dnsext working group. Check the archives.
I thought APPKEY was addressing putting non-self-validating keys into the
DNS, relying on DNSSEC to insure a chain of trust.
Technically, you're right, but a number of the essential concepts are
the same, including the key one that the record you're looking for has
to have a name in DNS space.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)