At 18:30 -0400 6/17/10, Olafur Gudmundsson wrote:
I agree with you but there are still people out there that believe
that key size is a tradoff in time.
"Belief" - engineering shouldn't be about beliefs.
I think the hard part for many of us to grasp is that for many years
the conventional wisdom of the DNSSEC practitioners was that "size
mattered" and now we are hearing differently. It might be good to
have a document that refutes the notion that size matters in a way
that is convincing to DNS'ers (as Olafur alludes to).
(My operational insistence on regularly changing the keys is no
longer based on the "size matters" argument. There are other
operational considerations and the lack of a revocation mechanism for
DNSSEC key material.)
Remember I'm arguing against the KSK+ZSK split in most cases, a different
thread will be started on key size recommendation.
I don't think KSK+ZSK is a dead or outmoded idea. One thing Olafur
didn't mention was the presence of EPP which wasn't foreseen when the
KSK+ZSK concept was conceived. EPP is one more advance that makes
single key systems attractive, but EPP isn't everywhere and not all
registries have quick response as a goal. (By that I mean the root
zone prioritizes checking each change over getting it done in an
hour.)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
The World Cup would be more fun if they didn't interrupt it with soccer games.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
