[Opendnssec-user] Default ZSK sizes
miek at miek.nl
Wed Jan 25 12:32:20 UTC 2012
[ Quoting <ondrej at sury.org> at 12:20 on Jan 25 in "Re: [Opendnssec-user..." ]
> > I always get a bit sad because of these mails... If rsa is vulnerable
> Why sad? I think it's useful to discuss this once in a while. Also because
> it looks like (for outsider) that cryptographers are like lawyers. You ask
> 5 lawyers about something and you get 7 different opinions :).
> And it had gathered quite few good points. Thanks to all involved.
> > there are better targets than the DNS.
> Like a key which signs 100.000+ domains?
Like a bank that uses such a key to secure transactions...
A rather have someone using 1 good key for 100.000+ domains, then
100.000+ keys and then drown in the key management.
In simulair vain are discussions about the number of hash iterations
in NSEC3 records. I highly doubt that specifying that number is most
important in a DNSSEC deployment...
"You don't have to out run the bear, you only have to out run the others".
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: Digital signature
More information about the Opendnssec-user