[excel2flow]

Yeah, right. But any CRL smaller then 64 KB can be distributed this way. So it would be CA's responsibility to keep them small, otherwise they would pay for the full traffic.

"The RDATA field in the DNS protocol may only hold data of size 65535 octets (64kb) or less. This means that each CERT RR MUST NOT contain more than 64kb of payload, even if the corresponding certificate or certificate revocation list is larger. This document addresses this by defining "indirect" data types for each normal type."