[Chris Drake]
A base64 encoded public key of useful strength is around 920 bytes
long after stripping out unnecessary headers etc; an unrealistic
burden to place on DNS.
First of all, a 1024-bit public key encoded in base-64 is 171 bytes, not
920. I think you got your bits and bytes confuse. The RSA exponent used
in x.509 is common to every key (65537) and only takes up 2 bytes to
encode in any case. We only really need ot encode N, the modulus. So
we're talking about ~175 bytes here for useful keys, not 920.
Also, long-lived DNS caching all but eliminates the bandwidth problem.
Domain keys will not change quickly, they can have TTLs of weeks or
more. It is not, IMHO, unrealistic to put a burden of a 1K per recipient
per week on the DNS infrastructure.
Now, the issue of DNS packet sizes and TXT records is another matter
entirely, but can we support broken DNS resolvers that cannot handle
medium-sized (>128 bytes) or fragmented packets forever?
Regards,
Ryan