Andrew Newton wrote:
On Jul 27, 2005, at 5:40 PM, Dave Crocker wrote:
1) Section 9.4 doesn't say anything about DNS cache sizes. Since
caches are a huge part of the robustness of DNS, I think it is
important to mention.
Do you have text that you suggest be included?
Public keys stored in DNS records are much larger than DNS records
used for address lookup and other typical DNS usages. Caching DNS
resolvers should limit the amount of memory consumed by the cache,
and more memory may be necessary to restore caches to their previous
effectiveness.
I agree with this, but the difference isn't as great as it might seem at
first glance. A query of nebraska._domainkey.cisco.com (TXT) returns a
342 byte result, but www.cisco.com (A) returns 83 bytes and cisco.com
(MX) returns 426 bytes. I'm not enough of a DNS geek to know if all
that data is stored in the cache. It seems like the difference isn't
orders of magnitude.
This was the main reason that the shorter DNS records used by IIM for
key verification were less of an advantage than we at first thought.
-Jim