On Wed, 27 Jul 2005, Jim Fenton wrote:
Public keys stored in DNS records are much larger than DNS records used
for address lookup and other typical DNS usages. Caching DNS resolvers
should limit the amount of memory consumed by the cache, and more memory
may be necessary to restore caches to their previous effectiveness.
I agree with this, but the difference isn't as great as it might seem at
first glance. A query of nebraska._domainkey.cisco.com (TXT) returns a 342
byte result, but www.cisco.com (A) returns 83 bytes and cisco.com (MX)
returns 426 bytes.
That is because your DNS server is configured to send ip addresses of all
your mx servers in additional section. Whilte this is helpful to a degree,
this is not a typical response to mx by dns servers (you don't really need
to know EVERY MX ip when doing query, just one is enough).
<ot> I've experimented with method that did something in between and
returned one ip address in additional section with list of MXs. The idea
is that it indicates prefered one (and that maybe different depending on
where query came from) to use and others are backups. This is better as
far as size of response and no extra unnecessary records, but it seems
the additional section was ignored and incoming mail came to MX 1 anyway,
so the alternative way was to have multiple A records for MX 1 and answer
with different A record depending on source (if needed) and that MX 1 can
in fact be incldued in additinal section and that is used then</ot>
I'm not enough of a DNS geek to know if all that data is
stored in the cache.
Yes, but in different way. In particular each of those A records and MX
would be stored as separate cache entry. Cache in DNS servers is also
expecting small dns data, so large one-record data in dns cache could
slow it down depending on cache server architecture.
It seems like the difference isn't orders of magnitude.
Difference in what?
This was the main reason that the shorter DNS records used by IIM for
key verification were less of an advantage than we at first thought.
IIM also proposed putting fingerprint as part of dns record query, I don't
think this is optimal way to do it either as it causes larger then needed
queries (and the query is repeated in response as well, which nullifies
advantage of not having to use selector and saving of couple bytes there).
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net