[DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

Dear colleagues, For my sins, I have been following some of the recent discussions about Internet governance. One of the discussions over on the 1net list (http://1net-mail.1net.org/mailman/listinfo/discuss) is about the control by one particular government of the DNS root zone, and how

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

On 2014-01-14, at 12:22, Andrew Sullivan a...@anvilwalrusden.com wrote: For my sins, I have been following some of the recent discussions about Internet governance. One of the discussions over on the 1net list (http://1net-mail.1net.org/mailman/listinfo/discuss) is about the control by one

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

On Tue, Jan 14, 2014 at 01:54:56PM -0500, Joe Abley wrote: It's interesting to see that what was actually built in 2009/2010 is largely compatible (at the high-level diagram level) with what was proposed I thought that was interesting too. However, each RKO you add increases the operational

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

If multiple independent entities sign, can't they elect to use shorter algorithms? I know 'short can be spoofed' is out there, but since there are now n * 512 instead of 1 * 2048 is it not theoretically possible that at a cost of more complexity, it can be demonstrated that as long as 1) the sigs

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

On 2014-01-14, at 18:04, George Michaelson g...@algebras.org wrote: If multiple independent entities sign, can't they elect to use shorter algorithms? I know 'short can be spoofed' is out there, but since there are now n * 512 instead of 1 * 2048 is it not theoretically possible that at

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

On Jan 14, 2014, at 3:04 PM, George Michaelson g...@algebras.org wrote: If multiple independent entities sign, can't they elect to use shorter algorithms? I know 'short can be spoofed' is out there, but since there are now n * 512 instead of 1 * 2048 is it not theoretically possible that

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

On 01/14/2014 12:08 PM, Andrew Sullivan wrote: Good point. I think the idea is that this is a feature, because it's supposed to be the Mutually-Assured Destruction threat that will prevent the USG from unilaterally removing some country from the root zone (that seems to be the threat people are

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

thanks for the cluestick hit. so we can't trade multiple sigs for length, which means for public benefit reasons adding more visible signers at the top does irredeemably increase the dataset size because the key size has to stay high. there are no free lunches for public accountability. On Wed,

Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

In message 52d5db58.3040...@dougbarton.us, Doug Barton writes: On 01/14/2014 04:43 PM, Doug Barton wrote: Other than the DS records (if any) the records associated with a given TLD (specifically the NS records) in the root are not signed. ... obviously the glue records are not signed