[dnssec-deployment] Cisco products, DNSSEC and EDNS0
Scott Rose
scottr at nist.gov
Wed Oct 12 08:49:54 EDT 2005
> -----Original Message-----
> From: DNSSEC deployment [mailto:dnssec-deployment at shinkuro.com]On Behalf
> Of Roy Arends
>
> It might be good to get some real stats on the size of requests. I hardly
> think they would be above 512 (dunno about secure dynamic updates of
> signed records in signed zones), so a configurable limit with a default of
> 512 seems fine for requests.
>
Dynamic update requests might push the limit of 512, but most should be ok.
Using SHA1 (which might be standard practice soon), TSIG records start to
push ~50-55 bytes. SHA256 gets to be around 75-80 bytes. That still leaves
room for DNSSEC data in the update. Although - how much DNSSEC data would
one expect? Won't the server sign the data before adding it? I guess that
depends on how the server/dynamic update is set up (online signing vs.
offline).
I believe HMAC-MD5 sizes are smaller. All of this is just rough estimates
though, YMMV.
Scott
> > It is possible to check that the size of the response is not larger
> > than the EDNS0 size information in the request. This is easy.
>
> Seems reasonable.
>
> > But, what to do with the max size of the request?
> >
> > If any of you explicitly tell me what you want to see, I will do
> > whatever I can to make sure that this is also implemented.
>
> Hope this helps.
>
> Roy
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here:
<http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
More information about the Dnssec-deployment
mailing list