On 24 Apr 2009, at 22:18, Paul Hoffman wrote:
If there is a practical limit to key size due to concerns about
peoples' validators running out of steam, then I think it needs to
be stated clearly. Otherwise as a zone administrator my instinct
will be to use keys that are as large as possible, since the costs
incurred by doing so are going to be borne by other people and all
I see is benefit (in the form of increased comfort level and a
better story for upper management, even if there is no practical
improvement in security).
That's certainly your option. Another option is to listen to
cryptographers about what is possible with a reasonable amount of
money and time, and stop there.
My point is that given the choice between "doing what is currently
considered safe" and "exceeding what is currently considered safe by a
factor of four with no additional cost to you" I think many otherwise
uninformed zone administrators are conditioned to choose the latter.
On the flip side, how can the "real cost" for validator-operators
that you assert be quantified?
Exactly.
So your point is that you don't know how to quantify it?
I have a hand in running a couple of non-validating resolvers for a
local ISP. 35,000 customers are served by two machines running BIND
9.5.x on FreeBSD 7.1, and the CPUs are 96% idle at peak load.
That's a fair amount of headroom, even ignoring the fact that the
ISP in question is in the process of replacing each machine with an
ECMP/OSPF cluster of two machines in order to simplify ad-hoc
maintenance.
I'm not arguing about the assertion that there is a limit to what
validators can tolerate. However, it seems reasonable to ask if
it's the kind of limit that we need to worry about, and not, the
kind of limit that is always going to fit in that headroom as
validator hardware gets upgraded on a typical cycle and DNSSEC
deployment proceeds over time.
How will you know? Why not stop when enough is enough?
Because there's no incentive for a zone administrator to choose
anything other than the largest key her tools let her create. So what
is "enough"?
Joe
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
