Andrew Sullivan wrote:
> I am not sure I am so sanguine, but this put in my mind the
> draft-ietf-dnsop-respsize draft, which I now realise was never
> published as an RFC.
>
> I'd like this thread to discuss the "so what, use TCP!" remark.
Nice idea.
http://www.potaroo.net/ispcol/2013-09/dnstc
Andrew Sullivan wrote:
>
> It _might_, if the idea were instead that validators used n of m.
N of M validation also solves the other problems Joe mentioned, to do with
key rollover and failure to sign. That is, if a signer drops out (because
it failed to sign the DNSKEY RRset, or because it rolle
In message <52d5db58.3040...@dougbarton.us>, Doug Barton writes:
> On 01/14/2014 04:43 PM, Doug Barton wrote:
> > Other than the DS records (if any) the records associated with a given
> > TLD (specifically the NS records) in the root are not signed.
>
> ... obviously the glue records are not sig
thanks for the cluestick hit. so we can't trade multiple sigs for length,
which means for public benefit reasons adding more visible signers at the
top does irredeemably increase the dataset size because the key size has to
stay high.
there are no free lunches for public accountability.
On Wed,
On 01/14/2014 04:43 PM, Doug Barton wrote:
Other than the DS records (if any) the records associated with a given
TLD (specifically the NS records) in the root are not signed.
... obviously the glue records are not signed either of course. My point
was that it's the delegation that some parano
On 01/14/2014 12:08 PM, Andrew Sullivan wrote:
Good point. I think the idea is that this is a feature, because it's
supposed to be the Mutually-Assured Destruction threat that will
prevent the USG from unilaterally removing some country from the root
zone (that seems to be the threat people are
On Jan 14, 2014, at 3:04 PM, George Michaelson wrote:
> If multiple independent entities sign, can't they elect to use shorter
> algorithms?
>
> I know 'short can be spoofed' is out there, but since there are now n * <512>
> instead of 1 * 2048 is it not theoretically possible that at a cost o
On 2014-01-14, at 18:04, George Michaelson wrote:
> If multiple independent entities sign, can't they elect to use shorter
> algorithms?
>
> I know 'short can be spoofed' is out there, but since there are now n * <512>
> instead of 1 * 2048 is it not theoretically possible that at a cost of m
If multiple independent entities sign, can't they elect to use shorter
algorithms?
I know 'short can be spoofed' is out there, but since there are now n *
<512> instead of 1 * 2048 is it not theoretically possible that at a cost
of more complexity, it can be demonstrated that as long as 1) the sig
On Tue, Jan 14, 2014 at 01:54:56PM -0500, Joe Abley wrote:
> It's interesting to see that what was actually built in 2009/2010 is
> largely compatible (at the high-level diagram level) with what was
> proposed
I thought that was interesting too.
> However, each RKO you add increases the operatio
On 2014-01-14, at 12:22, Andrew Sullivan wrote:
> For my sins, I have been following some of the recent discussions
> about "Internet governance". One of the discussions over on the
> "1net" list (http://1net-mail.1net.org/mailman/listinfo/discuss) is
> about the control by one particular gover
Dear colleagues,
For my sins, I have been following some of the recent discussions
about "Internet governance". One of the discussions over on the
"1net" list (http://1net-mail.1net.org/mailman/listinfo/discuss) is
about the control by one particular government of the DNS root zone,
and how uncom
12 matches
Mail list logo
