> On 7. 7. 2026, at 20:11, Wes Hardaker <[email protected]> wrote: > > Ondřej Surý <[email protected]> writes: > >> The malicious server can just say "nope, this is new". > > Agreed, it does not prevent someone in the middle from doing what we're > already heading to: TCP always and all data always. > > That wasn't the point. 90% of the requests that would be transmitted > over TCP every 5 minutes. If someone the middle really wanted that to > continue, I agree you're stuck. But if most of the parties on the > planet do play nicely (and most do) then we can greatly reduce the > potential traffic levels.
It is not "the middle". Even if majority of the servers plays nice, the bad actors are the ones shaping the defenses in the auths and resolvers. >> I believe it is dangerous to say "it is ok to deploy PQC algorithms with >> large signatures" because we have these optimizations. > > I don't think I ever said that. I am not claiming that **you** specifically did, but I've seen this argument elsewhere (on pqc-forum list) where this seems like to be a done thing for DNSSEC, because DNS can do TCP/TLS/HTTP. I don't think it is that easy and I would like the cryptographers to provide us with more support for smaller signature sizes. >> The fact is that we either need a PQC algorithm that will be >> size-suitable for DNS or we will have to brace for the impact of >> completely switching to TCP. > > The top of my document lays out an argument that: > > 1. we better accept TCP is coming I am starting to tend to agree, but I have some more measurements on my mind to do. > 2. but we may try to reduce the amount of traffic we do send to mitigate > some of that impact. I this that it doesn't matter that much and we should rather focus on making the TCP work just fine for DNS than. (E.g. I agree with what Joe said.) Cheers, Ondrej -- Ondřej Surý (He/Him) [email protected] A gentle nudge is always appreciated if I take a little longer to reply. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
