On Monday, May 11, 2015 07:23:58 PM John Levine wrote:
> >I propose a short draft that updates 6376 to say MUST use at least 1024
> >bits and setting that as the minimum size verifiers must be able to
> >validate.  I'm volunteering to write it if people agree it's appropriate.
> That seems fine.  This makes the usable range fairly small, since keys
> longer than 1536 run into the 512 byte DNS packet limit which shouldn't
> still be an issue 16 years after EDNS0 was introduced, but is anyway.  I
> don't see that as a problem, but it's likely worth mentioning.

The last time I saw an interoperability problem related to EDNS0 was this 
month, so while I generally agree, the impact is still non-zero (it may be 
time to decide we don't care), but either way, I'm not proposing we do 
anything other than raise the floor for this update in order to avoid having to 
decide about things like this.

> With regards to Doug's point, yeah, we could have other ways to
> distribute keys like, say, a new DNS record type that has a binary
> key.  For some reason, that gives me a bad feeling.

Even if it was a good idea, it wouldn't be a quick update.

Scott K
NOTE WELL: This list operates according to 

Reply via email to