Re: revised Proposed Charter



On Wed, 27 Jul 2005, Jim Fenton wrote:

Public keys stored in DNS records are much larger than DNS records usedfor address lookup and other typical DNS usages. Caching DNS resolversshould limit the amount of memory consumed by the cache, and more memorymay be necessary to restore caches to their previous effectiveness.
I agree with this, but the difference isn't as great as it might seem atfirst glance. A query of nebraska._domainkey.cisco.com (TXT) returns a 342byte result, but www.cisco.com (A) returns 83 bytes and cisco.com (MX)returns 426 bytes.


That is because your DNS server is configured to send ip addresses of all

your mx servers in additional section. Whilte this is helpful to a degree,this is not a typical response to mx by dns servers (you don't really need

to know EVERY MX ip when doing query, just one is enough).

<ot> I've experimented with method that did something in between and
 returned one ip address in additional section with list of MXs. The idea
 is that it indicates prefered one (and that maybe different depending on
 where query came from) to use and others are backups. This is better as
 far as size of response and no extra unnecessary records, but it seems
 the additional section was ignored and incoming mail came to MX 1 anyway,
 so the alternative way was to have multiple A records for MX 1 and answer
 with different A record depending on source (if needed) and that MX 1 can
 in fact be incldued in additinal section and that is used then</ot>

I'm not enough of a DNS geek to know if all that data isstored in the cache.


Yes, but in different way. In particular each of those A records and MX

would be stored as separate cache entry. Cache in DNS servers is alsoexpecting small dns data, so large one-record data in dns cache could

slow it down depending on cache server architecture.

It seems like the difference isn't orders of magnitude.


Difference in what?

This was the main reason that the shorter DNS records used by IIM for
key verification were less of an advantage than we at first thought.

IIM also proposed putting fingerprint as part of dns record query, I don'tthink this is optimal way to do it either as it causes larger then neededqueries (and the query is repeated in response as well, which nullifies

advantage of not having to use selector and saving of couple bytes there).

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net

<Prev in Thread]	Current Thread	[Next in Thread>
Re: DNS stuff (was Re: revised Proposed Charter), (continued) Re: DNS stuff (was Re: revised Proposed Charter), Michael Thomas Re: revised Proposed Charter, Dave Crocker Re: revised Proposed Charter, Hector Santos Re: revised Proposed Charter, Douglas Otis Re: revised Proposed Charter, Arvel Hathcock Re: revised Proposed Charter, william(at)elan.net Re: revised Proposed Charter, Andrew Newton Re: revised Proposed Charter, Michael Thomas Re: revised Proposed Charter, Andrew Newton Re: revised Proposed Charter, Jim Fenton Re: revised Proposed Charter, william(at)elan.net <= Re: revised Proposed Charter, Jim Fenton Re: revised Proposed Charter, william(at)elan.net Re: revised Proposed Charter, Douglas Otis Re: revised Proposed Charter, Dave Crocker Re: revised Proposed Charter, Andrew Newton Re: revised Proposed Charter, Dave Crocker Re: revised Proposed Charter, Andrew Newton Re: revised Proposed Charter, Earl Hood Re: revised Proposed Charter, Jim Fenton Re: revised Proposed Charter, Arvel Hathcock

Previous by Date:	Re: Spoofing revisited, Earl Hood
Next by Date:	Re: revised Proposed Charter, domainkeys-feedbackbase02
Previous by Thread:	Re: revised Proposed Charter, Jim Fenton
Next by Thread:	Re: revised Proposed Charter, Jim Fenton
Indexes:	[Date] [Thread] [Top] [All Lists]