On Fri, Aug 22, 2008 at 01:22:41PM +1000, Mark Andrews wrote:
Which is why I said look at SE and BR. Their response
profile to DO queries will be the same as the roots assuming
you choose similar key sizes.
See, I think this premise is one for which we have very close to no
On Wed, Aug 20, 2008 at 03:27:15PM +, Paul Vixie wrote:
i answered this on namedroppers, where the thread actually belongs.
at the risk of splitting hairs, the three different proposals did not all
strive to change the protocol. Also, this started out from the observation
that ANY queries
Both of Ohta-san's points are entirely valid.
On Ohta-san's first point: DJB is convinced that 1024bit RSA is
crackable with a botnet. And if 1024 isn't crackable now, it probably
will be shortly. So it is probably possible or soon will be possible to
crack keys and then forge many DNSSEC
On Aug 22, 2008, at 6:41 AM, Matt Larson wrote:
What disturbs me is that I detect a disturbing drumbeat of We must
sign the root now--now now NOW! in discussions in various venues.
Such talk doesn't show prudence but panic.
Let's sign the root. But let's do it diligently, always keeping in
On Fri, 22 Aug 2008, Matt Larson wrote:
Dean,
On Fri, 22 Aug 2008, Dean Anderson wrote:
It is manadatory in the _proper_ response. Of course, the _forged_
response can have anything the bad guy wants. If the bad guy decides
not to follow 4035 (gasp! we never thought the bad guys might
On Wed, Aug 20, 2008 at 04:06:05PM -0700, David Conrad wrote:
- if the advertised EDNS0 buffer size is not large enough, it will
trigger truncation and, as a result, an increase in the number of TCP
sessions going to the root.
assumed that it's reasonable to focus on referrals and
On Fri, 22 Aug 2008, Ted Lemon wrote:
On Aug 22, 2008, at 7:23 AM, Dean Anderson wrote:
Sigh. Above is precisely the sort of non-critical analysis that causes
these things to have so many problems.
Instead of making fun of other peoples' lack of critical thinking, you
might want to
Peter Koch wrote:
On Wed, Aug 20, 2008 at 03:27:15PM +, Paul Vixie wrote:
i answered this on namedroppers, where the thread actually belongs.
at the risk of splitting hairs, the three different proposals did not all
strive to change the protocol. Also, this started out from the
One other issue around DO is that it was introduced to signal understanding
of DNSSEC as per RFC 2535. The reaction of hypothetical 2535 only
resolvers to DNSSECbis responses is to be explored. I vaguely remember that
we've had this discussion of versioning the DO bit.
It's not a