--- "william(at)elan.net" <william(_at_)elan(_dot_)net> wrote:
Having not actually broken out tcpdump and actually done this, I might
regret
saying this later. That being said, it would seem a 2048 bit key could fit
into a 512 octet DNS packet if that DNS packet contained a domain name of
no
more than 60 characters and only two NS records in the authority section
referring to 3 character hostnames under the same domain.
One must be very careful about what a DNS server may return and what a DNS
server
*must* return. Eg: try
$ dig s2048._domainkey.emu.st txt
As the name suggests, this is a 2048 bit key that fits in 458 bytes of
response.
Also of course, base64 is not particularly compact, other representations, such
as base127 are more efficient and a binary representation in a specific RR
affords key sizes well in excess of 3000 bits, not counting EDNS0 or
continuation records.
Mark.