On 6/8/02 3:01 PM, "Steven M. Bellovin" <smb@research.att.com> wrote: > I was excluding EDNS0, since I thought it wasn't widely implemented. It has been implemented in the latest version of BINDv8, it has always been in BINDv9, and I believe it is in Microsoft's DNS server (not positive on this). Given EDNS0 is required for implementing DNS for IPv6, I wouldn't think it something you'd like to exclude. > TCP fallback is, as you are painfully well aware, expensive. Yes. >> What is the average size of a CERT (honest question, I have no idea)? > Good question -- and I don't think there's any one answer. Hmm. "Average"? > Technically, you're right, but a number of the essential concepts are > the same, including the key one that the record you're looking for has > to have a name in DNS space. And, of course, there are applications in which this makes perfect sense (e.g., ssh). Rgds, -drc