On Monday, May 11, 2015 07:23:58 PM John Levine wrote:
I propose a short draft that updates 6376 to say MUST use at least 1024
bits and setting that as the minimum size verifiers must be able to
validate. I'm volunteering to write it if people agree it's appropriate.
That seems fine. This makes the usable range fairly small, since keys
longer than 1536 run into the 512 byte DNS packet limit which shouldn't
still be an issue 16 years after EDNS0 was introduced, but is anyway. I
don't see that as a problem, but it's likely worth mentioning.
The last time I saw an interoperability problem related to EDNS0 was this
month, so while I generally agree, the impact is still non-zero (it may be
time to decide we don't care), but either way, I'm not proposing we do
anything other than raise the floor for this update in order to avoid having to
decide about things like this.
With regards to Doug's point, yeah, we could have other ways to
distribute keys like, say, a new DNS record type that has a binary
key. For some reason, that gives me a bad feeling.
Even if it was a good idea, it wouldn't be a quick update.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html