[Opendnssec-user] Default ZSK sizes

Miek Gieben miek at miek.nl
Wed Jan 25 12:32:20 UTC 2012


[ Quoting <ondrej at sury.org> at 12:20 on Jan 25 in "Re: [Opendnssec-user..." ]
> >
> > I always get a bit sad because of these mails... If rsa is vulnerable
> 
> Why sad? I think it's useful to discuss this once in a while.  Also because
> it looks like (for outsider) that cryptographers are like lawyers.  You ask
> 5 lawyers about something and you get 7 different opinions :).
> 
> And it had gathered quite few good points. Thanks to all involved.
> 
> > there are better targets than the DNS.
> 
> Like a key which signs 100.000+ domains?

Like a bank that uses such a key to secure transactions...

A rather have someone using 1 good key for 100.000+ domains, then
100.000+ keys and then drown in the key management.

In simulair vain are discussions about the number of hash iterations 
in NSEC3 records. I highly doubt that specifying that number is most
important in a DNSSEC deployment...

"You don't have to out run the bear, you only have to out run the others".


 grtz,

-- 
    Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120125/f9c54709/attachment.bin>


More information about the Opendnssec-user mailing list