On 04/01/2014 03:39 PM, Phillip Hallam-Baker wrote: > > Yes, I agree, but you are proposing a different DNSSEC model to the one > they believe in. > > The DNS world has put all their eggs into the DNSSEC from Authoritative > to Stub client model. They only view the Authoritative to Resolver as a > temporary deployment hack. > > So they resisted the idea of an authenticated Stub-client <-> Resolver > protocol and they dumb down the crypto so their model will work. > > > Weakening the crypto algorithms to make the architecture work is always > a sign that the wrong architecture is being applied. >
Oh come on. If anything, one would expect that doing the validation on the end machines is *easier* despite needing more cycles to do so, since there is much less work to do and generally much more cycles to spare. So I don't see your reasoning about 'them' follow up into this conclusion here. The way I read it, Olafur is asking for people to consider other sizes, and operational issues, rather than simply saying "double 'em up, yeeha". One may disagree (I do too, as it happens, for different reasons), or one can consider it and still come to the conclusion that 2048/4096 are the only right sizes (for now, we'll need better algos soonish I guess). Jelte _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
