It appears that Petr � pa� ek <[email protected]> said: >> So I was thinking about that problem space and how to continue being as >> efficient as possible without requiring every connection be over TCP and >> every connection always downloading large RRsets. And during thinking >> about that, the bad idea fairy paid me a visit. So I wrote down the >> whispers from the fairy that entered my ears: >> >> https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nothing-new/ > >Is this going far enough? Are we _sure_ 64k message limit is going to be >enough? Say 3 NSECs with their RRSIGs put as at 21 k per RRSIG tops. > >Anyone got an insight if we better start working on a new message format?
I'm pretty sure the answer is no. A likely crypto scheme is ML-DSA-65 which has 2K byte public keys and 3.3K byte signatures. That's bigger than what we use now but it's not going to be anywhere close to the 64K limit. The 16 bit lengths are baked so deeply into the DNS protocol that even if we did think keys or signatures were going to be enormous, I'd think very hard about hacks to make them fit before trying to change the underlying protocol. For example, we could publish keys with some sort of http pointer, or break them into chunks and publish them at _1.foo, _2.foo, ... _42.foo, or for signatures publish a hash which fits. I'm not saying those are particularly great ideas, but they're the sorts of thing we could look at. R's, John
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
