In message <[EMAIL PROTECTED]>, David Conrad writes:
>On 6/8/02 6:22 AM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote:
>> DNS packets are limited to 512 bytes.
>
>No they are not. They are limited to 64K. Even without EDNS0, a large
>response can fall back to TCP. You know this.
I was excluding EDNS0, since I thought it wasn't widely implemented. TCP
fallback is, as you are painfully well aware, expensive.
>
>> Few MTUs are larger than 1500.
>
>What is the average size of a CERT (honest question, I have no idea)?
Good question -- and I don't think there's any one answer.
>
>> Anyway -- the concept is called "appkeys", and has been discussed in
>> the dnsext working group. Check the archives.
>
>I thought APPKEY was addressing putting non-self-validating keys into the
>DNS, relying on DNSSEC to insure a chain of trust.
>
Technically, you're right, but a number of the essential concepts are
the same, including the key one that the record you're looking for has
to have a name in DNS space.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
