Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In message <B927B8AE.C5DC%david.conrad@nominum.com>, David Conrad writes:
>On 6/8/02 6:22 AM, "Steven M. Bellovin" <smb@research.att.com> wrote:
>> DNS packets are limited to 512 bytes.
>
>No they are not.  They are limited to 64K.  Even without EDNS0, a large
>response can fall back to TCP.  You know this.

I was excluding EDNS0, since I thought it wasn't widely implemented.  TCP 
fallback is, as you are painfully well aware, expensive.
>
>> Few MTUs are larger than 1500.
>
>What is the average size of a CERT (honest question, I have no idea)?

Good question -- and I don't think there's any one answer.
>
>> Anyway -- the concept is called "appkeys", and has been discussed in
>> the dnsext working group.  Check the archives.
>
>I thought APPKEY was addressing putting non-self-validating keys into the
>DNS, relying on DNSSEC to insure a chain of trust.
>
Technically, you're right, but a number of the essential concepts are 
the same, including the key one that the record you're looking for has 
to have a name in DNS space.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]