Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

2008-08-16 Thread Patrik Fältström
On 15 aug 2008, at 22.01, David Conrad wrote: Let me try to (hopefully) more clearly articulate my question: given the fact that caching servers only care about DNSSEC if they're explicitly configured to do so, does anyone anticipate any stability/ security concerns to those folks who

Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

2008-08-16 Thread Mark Andrews
David Conrad wrote: Given this, does anyone see any DNS security and/or stability concerns if a miracle were to happen and the root were to be signed tomorrow? Well,it will introduce a lot of large RRs, which may cause problems. Considering that two RRs each containing 2048 bit

Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

2008-08-16 Thread Dean Anderson
On Sat, 16 Aug 2008, Ted Lemon wrote: On Aug 16, 2008, at 4:56 PM, Dean Anderson wrote: For example, besides the previously mentioned key rollover issue, I understand that DNSSEC also doesn't allow the protocol to be changed securely. And we do expect the protocol to be changed. As a

Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

2008-08-16 Thread Masataka Ohta
Mark Andrews wrote: Considering that two RRs each containing 2048 bit data will need oversized messages, they may not be properly treated by some servers. Those suffering from oversized messages may turn-off DNSSEC and there is instability for those moving with their laptops. And how