To:
Paul Hoffman / IMC <phoffman@imc.org>
Cc:
Michael Richardson <mcr@sandelman.ottawa.on.ca>, keydist@cafax.se
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Tue, 08 Jan 2002 00:43:42 +0100
In-Reply-To:
<p0510100fb85fc0ef41d7@[165.227.249.20]> (Paul Hoffman / IMC'smessage of "Mon, 7 Jan 2002 13:20:33 -0800")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090005 (Oort Gnus v0.05) Emacs/21.1.50(i686-pc-linux-gnu)
Subject:
Re: From whence we came...
Paul Hoffman / IMC <phoffman@imc.org> writes: > At 9:41 AM -0500 1/7/02, Michael Richardson wrote: >> You define your opaque blob and I'll define mine. We'll document our uses >>in an RFC. >> End of discussion. > > It appears that this discussion has more-than-tangentially been about > passing around those blobs in the DNS protocol. A bare public key can > be probably fit in the 512-octet limit that most people put on DNS > under UDP; a typical PKIX certificate probably cannot. So the choice > of the blob is in fact important for this discussion. I challenge that this is important: "dig www.josefsson.org a +dnssec" generates a 641 byte response. If the IPv4 address that is queried for here is replaced with a public key, the response will probably not be less than 512 octets. Key distribution in DNS, regardless of method, seems likely to exceed the 512 octet limit, no? "Fortunately", deployment of IPv6 and DNSSEC has the same issue (see draft-ietf-dnsext-message-size-04.txt).