On Thu, 09 Jun 2011 at 15:09:41 +1200, Sebastian Castro wrote:
We investigated different KSK sizes and their effect in response sizes for a DNSKEY query. The 512-byte limit was a concern before initial DNSSEC deployment, but the system seems to be coping well. The main concern is about clients supporting EDNS but being unable to receive fragmented packets. So we aimed to have a DNSKEY response below the 1420-bytes (Ethernet MTU - headers).
I was reading up about BGPSEC and I came across an interesting presentation by K. Sriram from NIST that shows how using ECDSA can reduce the RIB size by more than half compared to RSA (if BGPSEC ever happens): http://www.antd.nist.gov/~ksriram/BGPSEC_RIB_Estimation.pdf This got me thinking about packet size and DNSSEC, and it seems that the IETF have already looked at this, although the draft has expired: http://tools.ietf.org/html/draft-hoffman-dnssec-ecdsa-04 It seems that this would go a long way to reducing response size while maintaining a politically and technically acceptable level of security. Hopefully the draft comes back to life or is replaced by something better. Nigel