> On 7. 7. 2026, at 20:11, Wes Hardaker <[email protected]> wrote:
> 
> Ondřej Surý <[email protected]> writes:
> 
>> The malicious server can just say "nope, this is new".
> 
> Agreed, it does not prevent someone in the middle from doing what we're
> already heading to: TCP always and all data always.
> 
> That wasn't the point.  90% of the requests that would be transmitted
> over TCP every 5 minutes.  If someone the middle really wanted that to
> continue, I agree you're stuck.  But if most of the parties on the
> planet do play nicely (and most do) then we can greatly reduce the
> potential traffic levels.

It is not "the middle". Even if majority of the servers plays nice, the bad
actors are the ones shaping the defenses in the auths and resolvers.

>> I believe it is dangerous to say "it is ok to deploy PQC algorithms with
>> large signatures" because we have these optimizations.
> 
> I don't think I ever said that.

I am not claiming that **you** specifically did, but I've seen this argument
elsewhere (on pqc-forum list) where this seems like to be a done thing for
DNSSEC, because DNS can do TCP/TLS/HTTP.

I don't think it is that easy and I would like the cryptographers to provide us
with more support for smaller signature sizes.

>> The fact is that we either need a PQC algorithm that will be
>> size-suitable for DNS or we will have to brace for the impact of
>> completely switching to TCP.
> 
> The top of my document lays out an argument that:
> 
> 1. we better accept TCP is coming

I am starting to tend to agree, but I have some more measurements on my
mind to do.

> 2. but we may try to reduce the amount of traffic we do send to mitigate
> some of that impact.


I this that it doesn't matter that much and we should rather focus on making
the TCP work just fine for DNS than. (E.g. I agree with what Joe said.)

Cheers,
Ondrej
--
Ondřej Surý (He/Him)
[email protected]

A gentle nudge is always appreciated if I take a little longer to reply.


_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to