On Mon, Oct 13, 2014 at 11:15 AM, Paul Hoffman <[email protected]> wrote: > On Oct 13, 2014, at 7:17 AM, Stephane Bortzmeyer <[email protected]> wrote: > >> On Sun, Oct 12, 2014 at 06:28:46PM +0530, >> Mukund Sivaraman <[email protected]> wrote >> a message of 176 lines which said: >> >>> Cons: >> >> Also: >> >> * since nameservers names are much longer, you cannot have as many >> NS records in a packet, >> * the future (currently, it is non-existant) cryptographic agility >> will be made harder by this choice, since every algorithm used by >> DNScurve needs to have short keys (a label is limited in size). > > Ummm, aren't we forgetting what is for many the much larger cons: > > * The nameserver has to do a Diffie-Hellman key agreement with every relying > party, hugely increasing the CPU load. > > * The private key must be online all the time. > > * The private key must be shared by all the nameservers. > > Remember: DNSSEC is sign-once-and-serve; DNScurve is > server-does-crypto-for-every-query.
And the biggest problem: There isn't an advocate for the protocol to push it through a WG process. DJB has not played that role to date. I don't think he plans to do so in future. I am not sure if its fair to have a presentation thats a pile on criticizing it. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
