Re: [dnsext] NSEC3 and elliptic curve signatures

"Rose, Scott W." <> Thu, 16 September 2010 18:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 186D53A6AD5; Thu, 16 Sep 2010 11:11:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.733
X-Spam-Status: No, score=-5.733 tagged_above=-999 required=5 tests=[AWL=0.866, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GNrFRErcGM7o; Thu, 16 Sep 2010 11:11:27 -0700 (PDT)
Received: from ( [IPv6:2001:418:1::62]) by (Postfix) with ESMTP id 7D7D93A6A33; Thu, 16 Sep 2010 11:11:27 -0700 (PDT)
Received: from majordom by with local (Exim 4.72 (FreeBSD)) (envelope-from <>) id 1OwIqJ-000MbG-1v for; Thu, 16 Sep 2010 18:05:55 +0000
Received: from ([] by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <>) id 1OwIqG-000Mas-74 for; Thu, 16 Sep 2010 18:05:52 +0000
Received: from ( []) by (8.13.1/8.13.1) with ESMTP id o8GI5fKu013187 for <>; Thu, 16 Sep 2010 14:05:41 -0400
Received: from ([fe80::41df:f63f:c718:e08]) by ([]) with mapi; Thu, 16 Sep 2010 14:05:41 -0400
From: "Rose, Scott W." <>
To: Namedroppers WG <>
Date: Thu, 16 Sep 2010 14:05:40 -0400
Subject: Re: [dnsext] NSEC3 and elliptic curve signatures
Thread-Topic: [dnsext] NSEC3 and elliptic curve signatures
Thread-Index: ActVybghZ7gzIgCETaObP7BAS+EBLA==
Message-ID: <>
References: <p06240834c8b7fa996ee1@[]>
In-Reply-To: <p06240834c8b7fa996ee1@[]>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-NIST-MailScanner: Found to be clean
Precedence: bulk
List-ID: <>
List-Unsubscribe: To unsubscribe send a message to with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <>

FWIW, those that produce operational recommendations will have to answer this if it is not in the draft.  Those values will likely vary.  While this isn't a show-stopper, but it may cause administrator confusion.

I think a good gauge should be to have the max iterations recommendation be less than the time it takes to validate the RRSIG for "an average system".  I don't have an idea what the hard numbers would be.


On Sep 16, 2010, at 12:55 PM, Paul Hoffman wrote:

> Greetings again. draft-hoffman-dnssec-ecdsa describes DNSSEC signature algorithms using the two generally-accepted elliptic curve sizes on 256 and 384 bits. Dan Simon pointed out to Wouter and I that RFC 5155 talks about choosing iteration sizes for DSA and RSA, but not elliptic curves. Wouter ran some numbers that could be used to determine possible iteration counts, but RFC 5155 only sets maximums for iterations, not suggested values.
> Do folks here think that draft-hoffman-dnssec-ecdsa should have suggested RFC 5155 iteration counts? Should we discuss it at all?
> --Paul Hoffman, Director
> --VPN Consortium

Scott Rose
+1 301-975-8439
Google Voice: +1 571-249-3671