It appears that Petr � pa� ek <[email protected]> said:
>> So I was thinking about that problem space and how to continue being as
>> efficient as possible without requiring every connection be over TCP and
>> every connection always downloading large RRsets.  And during thinking
>> about that, the bad idea fairy paid me a visit.  So I wrote down the
>> whispers from the fairy that entered my ears:
>> 
>> https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nothing-new/
>
>Is this going far enough? Are we _sure_ 64k message limit is going to be 
>enough? Say 3 NSECs with their RRSIGs put as at 21 k per RRSIG tops.
>
>Anyone got an insight if we better start working on a new message format?

I'm pretty sure the answer is no.  A likely crypto scheme is ML-DSA-65
which has 2K byte public keys and 3.3K byte signatures.  That's bigger
than what we use now but it's not going to be anywhere close to the 64K
limit.

The 16 bit lengths are baked so deeply into the DNS protocol that even if we did
think keys or signatures were going to be enormous, I'd think very hard about
hacks to make them fit before trying to change the underlying protocol. For
example, we could publish keys with some sort of http pointer, or break them
into chunks and publish them at _1.foo, _2.foo, ... _42.foo, or for signatures
publish a hash which fits. I'm not saying those are particularly great ideas,
but they're the sorts of thing we could look at.

R's,
John

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to