In message <B927B8AE.C5DC%david.conrad@nominum.com>, David Conrad writes: >On 6/8/02 6:22 AM, "Steven M. Bellovin" <smb@research.att.com> wrote: >> DNS packets are limited to 512 bytes. > >No they are not. They are limited to 64K. Even without EDNS0, a large >response can fall back to TCP. You know this. I was excluding EDNS0, since I thought it wasn't widely implemented. TCP fallback is, as you are painfully well aware, expensive. > >> Few MTUs are larger than 1500. > >What is the average size of a CERT (honest question, I have no idea)? Good question -- and I don't think there's any one answer. > >> Anyway -- the concept is called "appkeys", and has been discussed in >> the dnsext working group. Check the archives. > >I thought APPKEY was addressing putting non-self-validating keys into the >DNS, relying on DNSSEC to insure a chain of trust. > Technically, you're right, but a number of the essential concepts are the same, including the key one that the record you're looking for has to have a name in DNS space. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)