DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

[Simon Josefsson]

Michael Graff <explorer@flame.org> writes:

> Simon Josefsson <jas@extundo.com> writes:
>
>> Yes, one UDP round-trip is wasted.  OTOH the server can guess that
>> CERT RR's should be fetched with TCP, or it can use EDNS.0 to increase
>> the 512 byte limit (EDNS.0 is required with IPv6 and DNSSEC anyway, if
>> I recall correctly).
>
> Cool.  A key server DDOS attack is in your future.  :)

How so?

> That said, it's a good idea, and I considered writing one years ago,
> but before EDNS0 there was no real use...

The revocation certificate idea is a good one though, even without
EDNS0.

> Remember that the max payload (and max rdata size) is still 64k -
> headers, so you'll have to handle broken up data even over TCP.

Hm.  That is a problem. Perhaps it is easier to state that it won't
work with keys larger than 64kb though.