On 6/8/02 6:22 AM, "Steven M. Bellovin" <smb@research.att.com> wrote: > DNS packets are limited to 512 bytes. No they are not. They are limited to 64K. Even without EDNS0, a large response can fall back to TCP. You know this. > Few MTUs are larger than 1500. What is the average size of a CERT (honest question, I have no idea)? > Anyway -- the concept is called "appkeys", and has been discussed in > the dnsext working group. Check the archives. I thought APPKEY was addressing putting non-self-validating keys into the DNS, relying on DNSSEC to insure a chain of trust. Rgds, -drc