To:
Derek Atkins <warlord@MIT.EDU>
Cc:
Michael Richardson <mcr@sandelman.ottawa.on.ca>, keydist@cafax.se
From:
Paul Hoffman / IMC <phoffman@imc.org>
Date:
Tue, 8 Jan 2002 13:51:31 -0800
In-Reply-To:
<sjmsn9gis7m.fsf@cutter-john.mit.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
At 1:59 PM -0500 1/8/02, Derek Atkins wrote: >Paul Hoffman / IMC <phoffman@imc.org> writes: > >> At 9:43 PM -0500 1/7/02, Derek Atkins wrote: >> >I think we're already assuming EDNS0 and DNSSEC, which already requires >> >support for >512 bytes (and provides a way of negotiating support). >> >So, no, size is not (really) an issue. >> >> OK, I admit that I am a bit naive about DNS politics. I thought that >> the objection to >512 octets was regardless of EDNS0. That is, even >> though the end systems are supposed to support longer packets, the >> UDP fragmentation happens in the middle of the net, and the end >> systems fall back to TCP. The EDNS0 document is far from clear (even >> after many readings, which I have done wearing my IDN hat). >> >> So, are 2K-4K DNS responses OK now as long as they come in EDNS0? > >2K-4K? Where do you get that size? When I query, for example, >"tislabs.com. IN ANY" I get a response of 2223 bytes (according to >dig). This response includes the SOA, 3 NS records, 2 MX records, 4 >KEY records, 1 NXT record, and 8 SIG records. So, where is your >4K coming from? Many people will start using larger public key sizes and larger hash sizes in the coming years. And we have no idea how many SIG records will be appropriate once we start using DNSSEC for non-DNS type keys. Given my cluelessness about EDNS0 and the travails of UDP sizes, any real answer to my questions above would be much appreciated. Heck, I might even like some informative abuse from Randy on this one. --Paul Hoffman, Director --Internet Mail Consortium