On 6/8/02 6:22 AM, "Steven M. Bellovin" <smb(_at_)research(_dot_)att(_dot_)com>
wrote:
DNS packets are limited to 512 bytes.
No they are not. They are limited to 64K. Even without EDNS0, a large
response can fall back to TCP. You know this.
Few MTUs are larger than 1500.
What is the average size of a CERT (honest question, I have no idea)?
Anyway -- the concept is called "appkeys", and has been discussed in
the dnsext working group. Check the archives.
I thought APPKEY was addressing putting non-self-validating keys into the
DNS, relying on DNSSEC to insure a chain of trust.
Rgds,
-drc