On Oct 13, 2014, at 7:17 AM, Stephane Bortzmeyer <[email protected]> wrote:
> On Sun, Oct 12, 2014 at 06:28:46PM +0530, > Mukund Sivaraman <[email protected]> wrote > a message of 176 lines which said: > >> Cons: > > Also: > > * since nameservers names are much longer, you cannot have as many > NS records in a packet, > * the future (currently, it is non-existant) cryptographic agility > will be made harder by this choice, since every algorithm used by > DNScurve needs to have short keys (a label is limited in size). Ummm, aren't we forgetting what is for many the much larger cons: * The nameserver has to do a Diffie-Hellman key agreement with every relying party, hugely increasing the CPU load. * The private key must be online all the time. * The private key must be shared by all the nameservers. Remember: DNSSEC is sign-once-and-serve; DNScurve is server-does-crypto-for-every-query. --Paul Hoffman _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
