[Opendnssec-user] Default ZSK sizes
Miek Gieben
miek at miek.nl
Wed Jan 25 12:32:20 UTC 2012
[ Quoting <ondrej at sury.org> at 12:20 on Jan 25 in "Re: [Opendnssec-user..." ]
> >
> > I always get a bit sad because of these mails... If rsa is vulnerable
>
> Why sad? I think it's useful to discuss this once in a while. Also because
> it looks like (for outsider) that cryptographers are like lawyers. You ask
> 5 lawyers about something and you get 7 different opinions :).
>
> And it had gathered quite few good points. Thanks to all involved.
>
> > there are better targets than the DNS.
>
> Like a key which signs 100.000+ domains?
Like a bank that uses such a key to secure transactions...
A rather have someone using 1 good key for 100.000+ domains, then
100.000+ keys and then drown in the key management.
In simulair vain are discussions about the number of hash iterations
in NSEC3 records. I highly doubt that specifying that number is most
important in a DNSSEC deployment...
"You don't have to out run the bear, you only have to out run the others".
grtz,
--
Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120125/f9c54709/attachment.bin>
More information about the Opendnssec-user
mailing list