On Jan 23, 2015, at 9:40 AM, Liang Zhu <liang...@usc.edu> wrote: > There have been repeated questions about how big DNSSEC keys should > be. We are also interested in understanding at what point IPv4 > fragmentation becomes common in UDP responses as key size increases, > since IPv4 fragmentation brings performance problems such as packet > re-transmission due to loss fragments. > > We analyze two DNS traces captured at a root server and a TLD server, > by replacing the current 1024-bit RSA signature with longer ones. We > find that: > > 1. A root trace suggests there is minimum (almost no) risk to go to > 2048-bit ZSK and 2048-bit KSK for root server. > > 2. A TLD trace shows 5.5% DNSSEC enabled responses getting IPv4 > fragmented with 2048-bit ZSK and more with longer keys. We suggest TLD > and other authoritative server operators analyze their server's > response traffic and inform their customers of possible problems > before moving to use longer keys. > > For details of our methodology and graphs, please see > http://isi.edu/ant/tdns/keysize.html
What is the problem with #2? IP fragmentation happens, and The Internet is expected to work with it. That is, of what possible value is "inform their customers"? --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
