On Tuesday, April 09, 2019 08:50:52 AM Bill Cole wrote: > On 9 Apr 2019, at 5:36, Ntek, SIA Janis wrote: > > What's your key-size? > > My DNS provider does not support 2048, I found it out the hard way. > > Note that this is usually due to a 255-character limit on a single > string in a TXT record. This is because the character-string type in DNS > is defined as a classical Pascal string: a single length byte followed > by the content. > > There is a workaround supported by most DNS servers: using multiple > strings in a single TXT record. This is a part of the DNS standard (RFC > 1035) so if your DNS service provider does not allow it, they are not a > real DNS provider. :)
It's not that rare. In fact it's the reason that RFC 8301 says MUST 1024, SHOULD 2048. If we'd thought it wouldn't have caused significant operational problems for domains that don't host their own DNS, we'd have gone straight to MUST 2048 for additional future proofing. Lots of domains have DNS provided by the domain name registrar (i.e. not a real DNS provider, I guess). Scott K
