Paul, > Let me clarify things a bit,
Thanks very much for this note. The issue of the ZSK length is something that has popped up on various radars on various occasions and given the recent publicity over at imperialviolet and sockpuppet on 1024 bit RSA, it'd be good to explore this in more detail to see what level of nightmare we'd be inflicting upon ourselves (if any). > In other words, which ever clients cannot handle a root ZSK of 2048 > already has a severe problem with DNS. I don't think we would be adding > much of a problem by just switching to 2048 today. While I tend to agree, this assumes the clients would notice, which obviously depends on the names being looked up. Do you have any idea of (say) the popularity of the names behind large RRsets (e.g., their Alexa ranking or something similar)? > Of course, once you believe we can do a ZSK of 2048, there is no urgency > to move to ECDSA and we can wait on the CRFG to come up with a non-DSA > ECC algorithm for us. Yep. I'd really like to go to ECDSA, but it doesn't look like there is enough support out there for it (at least for root purposes). > So unless Australia is not reachable by a significant portion of the > world doing DNSSEC, the root is not going to see an issue either. According to http://w3techs.com/technologies/overview/top_level_domain/all (random stats site select by closed eye googling, no idea whether their methodology is reasonable), .AU represents 1% of websites. If 20% of DNS queries are doing DNSSEC lookups, and a small fraction of those are behind broken middleboxes that puke on large RRsets, I can (barely) see an argument that the universe is too small to make a reasonable determination... I guess a larger question is "do we care?". I'll be honest and say I'm increasingly concerned that broken middleware-driven ossification is getting in the way of fixing serious problems. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
