On Apr 1, 2014, at 6:39 AM, Phillip Hallam-Baker <hal...@gmail.com> wrote: > > Yes, I agree, but you are proposing a different DNSSEC model to the one they > believe in. > > The DNS world has put all their eggs into the DNSSEC from Authoritative to > Stub client model. They only view the Authoritative to Resolver as a > temporary deployment hack.
And in that case (which is, I agree, what is needed), the time to verify really doesn't matter one fucking bit, since those clients really won't care about an extra 50 MICROseconds to validate the crypto. Heck, they won't notice 50 milliseconds... > Weakening the crypto algorithms to make the architecture work is always a > sign that the wrong architecture is being applied. And weakening the crypto needlessly like this is even worse. IMO, all DNSSEC software should simply refuse to generate <2048b RSA keys. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop