System administrators insist on being able to change their records with at most a few days notice---typically one day. See my ``Extremely long TTLs'' message for further discussion of this point. With DNSSEC, those records would have to be signed again every day. It is not acceptable from a security perspective to have signatures last longer than this; otherwise an attacker would be able to interfere with changes by forging an old DNS response under the old signature. Occasional renumbering is not going to add noticeably to this cost. In fact, unless renumbering has to happen with less than a day's notice, the extra cost is zero. ---Dan -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
- The case against A6 and DNAME D. J. Bernstein
- Re: The case against A6 and DNAME Ignatios Souvatzis
- Re: The case against A6 and DNAME David Harmelin
- Re: The case against A6 and DNAME David Harmelin
- Re: The case against A6 and DNAME D. J. Bernstein
- Re: The case against A6 and DNAME Ian Jackson
- Re: The case against A6 and DNAME Matt Crawford
- RE: The case against A6 and DNAME Jim . Bound
- RE: The case against A6 and DNAME Christian Huitema
- Re: The case against A6 and DNAME Bill Sommerfeld
- Re: The case against A6 and DNAME D. J. Bernstein
- Re: The case against A6 and DNAME Nathan Lutchansky
- Re: The case against A6 and DNAME Matt Crawford
- RE: The case against A6 and DNAME Jim . Bound
- Re: The case against A6 and DNAME D. J. Bernstein
- Re: The case against A6 and DNAME D. J. Bernstein
- RE: The case against A6 and DNAME Jim . Bound
- Re: The case against A6 and DNAME JIM FLEMING
- RE: The case against A6 and DNAME David R. Conrad
- Re: The case against A6 and DNAME D. J. Bernstein
- Re: The case against A6 and DNAME David R. Conrad