Mark Andrews wrote: > In message <[email protected]>, P Vixie writes: >> > Tsig won't scale for something like this. Please consider sig0. > > I've got no objection to sig(0) but why won't it scale? There is > a existing relationship so public key cyptography isn't needed.
sneaker net for key management, including revocation, emergency key swaps, for delegation-mostly domains that might have tens of millions of different subdomain operators, is a recipe for disaster. > Sig(0) would require the KEY record to be in the parent zone or to > be held by the registrar in a seperate database. In the later case > you either need a database of KEY records or a database of TSIG > keys. As far as I can tell there is no difference in the scaling > requirements. the KEY RR would also be SIG(0) updateable. > > Sig(0) might be marginally more secure as only one side holds > material than needs to be kept private. take that marginal difference and multiply it by six billion to get the internet wide impact over time. -- Paul Vixie
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
