On Mon, 11 Jul 2005, Andrew Newton wrote:
On Jul 11, 2005, at 11:24 AM, william(at)elan.net wrote:
3. Key Size
From section 3.3.2 -
"The practical constraint that a 2048 bit key is the largest key that
fits within a 512 byte DNS UDP response packet"
That is not entirely true. Because you use BASE64 within DNS TXT record
and because respose is not really 512byte dns udp for data (i.e. it
would include dns "question" and "authority" in addition to "answer").
The 2048 bit key will not fit in dns.
Having not actually broken out tcpdump and actually done this, I might regret
saying this later. That being said, it would seem a 2048 bit key could fit
into a 512 octet DNS packet if that DNS packet contained a domain name of no
more than 60 characters and only two NS records in the authority section
referring to 3 character hostnames under the same domain.
You forgot selector and _prefix. Plus there is dns own header data also,
plus dns data goes into udp packet which has its own header too. Plus
actual DK TXT record has few other tags. But I did make mistake by about
100 bytes in my quick calculation an there is room to use about 30
character domains (with two nameservers of similar size), but not
really that much room to maneuver.
In any case using fingerprints would solve all that as they are fixed
size (smaller then even 384-bit public key) no matter what size public
key is used. And as with many other database, dns is most efficient
with fixed size records (like ip address) rather then arbitrary blobs.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net