On 18/06/2010 12:35 PM, Edward Lewis wrote:
At 18:30 -0400 6/17/10, Olafur Gudmundsson wrote:
I agree with you but there are still people out there that believe
that key size is a tradoff in time.
"Belief" - engineering shouldn't be about beliefs.
I think the hard part for many of us to grasp is that for many years the
conventional wisdom of the DNSSEC practitioners was that "size mattered"
and now we are hearing differently. It might be good to have a document
that refutes the notion that size matters in a way that is convincing to
DNS'ers (as Olafur alludes to).
The topic that EKR is aginst the practice of frequently rolling
a weak RSA1024 bit. He is recommending that people use a strong
key in the first place.
(My operational insistence on regularly changing the keys is no longer
based on the "size matters" argument. There are other operational
considerations and the lack of a revocation mechanism for DNSSEC key
material.)
Different domains are going to have different "rollover requirements"
irrespective of how many keys are used.
Please stay on topic:
Should the WG document recommend/bless single key usage in
some/many cases.
Remember I'm arguing against the KSK+ZSK split in most cases, a different
thread will be started on key size recommendation.
I don't think KSK+ZSK is a dead or outmoded idea. One thing Olafur
didn't mention was the presence of EPP which wasn't foreseen when the
KSK+ZSK concept was conceived. EPP is one more advance that makes single
key systems attractive, but EPP isn't everywhere and not all registries
have quick response as a goal. (By that I mean the root zone prioritizes
checking each change over getting it done in an hour.)
Thank you Ed for bringing up a good point that I missed.
When EPP is used and the intermediary supports passing DS records
the child can update its DS set as easily as most people maintain their
NS records.
Olafur
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
