-----Original Message-----
From: John R. Levine [mailto:johnl(_at_)iecc(_dot_)com]
Sent: Tuesday, May 12, 2015 10:44 AM
To: MH Michael Hammer (5304)
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] DKIM Key Size Constraints
Apart from that I think we should start a (separate) effort to
determine where we go from here. For the most part 2048 length keys
seem not to be a problem in the wild at this time. On the other hand,
given the speed (or lack thereof) involved in working groups
generating useful output, if we start now (for some definition of now)
we should (hopefully) have a solution before 2048 keys are at risk.
The only problem I'm aware of is the 512 byte UDP DNS packet size. Is
anyone aware of actual stats on how often larger packets fail?
The IETF is not useful here. The IETF DNS crowd swears that it's not a
problem at all and anyone who believes otherwise is stupid.
I suppose in one sense they are correct in that between TCP fallback and EDNS0
there shouldn't be a problem. On the other hand we know (or should know) that
there are a number of firewall implementations that don't allow for TCP
fallback (DOH!) for larger packets and/or have a hard limit of 512 bytes for
UDP DNS packets (I believe first gen Cisco ASAs will be with us through 2018 or
something like that timeframe) by default. I don't know how big either of these
issues are. Presumably there should be some sort of breakage info from our
DNSSEC brethren (due to larger DNSSEC generated packets).
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html