On 3 April 2014 04:18, David Conrad <d...@virtualized.org> wrote: > Paul, > > On Apr 3, 2014, at 12:38 AM, Paul Wouters <p...@nohats.ca> wrote: >>>> Saving space and time does matter. Roughly half the operators I studied >>>> would include a backup key on-line because "they could" with the shorted >>>> length. And performance does matter - ask the web browser people. >> Because we want to make security decisions based on a 1ms latency browser >> war? > > We want to make security decisions that actually improve security. > > Making a decision that results in people turning security off because the > (perceived at least) performance impact is too large does not improve > security. > > People are already doing insanely stupid things (e.g., not following TTLs) > because they eke out a couple of extra milliseconds in reduced RTT per query > (which, multiplied by the zillions of queries today's high content websites > require, does actually make a difference). > > Having not looked into it sufficiently, I do not have a strong opinion as to > whether increasing key lengths will result in people either not signing or > turning off validation, but I believe it wrong to disregard performance > considerations.
Before that question even becomes relevant, DNSSEC has to actually get to the endpoints reliably, which we know it doesn't. By the time that happens, the whole question of what key size should be used will likely have a different answer anyway. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
