Mark Andrews wrote: > In message <[email protected]>, > =?utf-8?Q?=F0=9F=94=92Roy_Arends?= writes: > > We'd end up adding stuff to a response in order to make it shorter. > > We'd end up changing a 0x00 to a 0x01 in the OPT record. > > > Is there a clear benefit (shorter responses)? Can you show me a few real > > world examples? > > Every DNSSEC answer would be potentially shorter. The signer field > can be compressed as can the domain names in all these types. > > hip ipseckey key lp nsec nxt rrsig sig talink nsap-ptr > dnskey cdnskey
DNSSEC signer name fields are going to be fairly small for typical domains (barring outliers under .ip6.arpa). Isn't this a pretty trivial savings compared to the size of 1024 or 2048 bit RSA signatures? E.g., the response to "dig +norec +dnssec @sfba.sns-pb.isc.org www.isc.org -t A" returns a 1623 byte response (for me) containing 8 RRSIGs, and replacing the uncompressed instances of "isc.org" (9 bytes) in each RRSIG signer field with a two byte compression pointer saves (8*9 - 8*2) = 56 bytes. So that saves you ~3.5% off a 1.6 KB response. Why bother? You will get a far larger savings by just turning on minimal-responses and replacing RSA with ECDSA, no code changes required :-) -- Robert Edmonds _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
