> On 16 Jan 2018, at 16:14, Sebastian Nielsen <[email protected]> wrote: > > Then you have a script that publishes the certificate. You could ACTUALLY > publish the certificate in the DNS zone as a TXT.
That would be a *remarkably* bad thing to do. More so when there already are RRtypes for storing certificates in the DNS (TLSA and CERT). TXT records get (mis)used for all sorts of things and it doesn't make sense to heap even more on to that existing babble. Or figuring out how to separate certificate favoured TXT records from any other TXT records that are floating about. > Each TXT record may only contain up to 255 characters, but you could easily > split it up to multiple records. Nope. A TXT record can hold up to 65535 bytes. The name of the TXT record is limited to 255 characters. Splitting a certificate into multiple TXT records is another very bad idea. How would something know which TXT records need to be sorted/merged to reassemble the original string? Now suppose one of those TXT records got dropped from the Additional Section of a response. How would a client (know how to) recover from that? These are rhetorical questions BTW.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
