IETF Logo Mail Archive

Re: [DNSOP] Key sizes was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

Joe Abley <jabley@hopcount.ca> Sat, 25 April 2009 02:24 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 227E83A68C2 for <dnsop@core3.amsl.com>; Fri, 24 Apr 2009 19:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzTVTJqa3jyz for <dnsop@core3.amsl.com>; Fri, 24 Apr 2009 19:24:04 -0700 (PDT)
Received: from monster.hopcount.ca (monster.hopcount.ca [199.212.90.4]) by core3.amsl.com (Postfix) with ESMTP id F2FE43A67D9 for <dnsop@ietf.org>; Fri, 24 Apr 2009 19:24:03 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=monster; d=hopcount.ca; h=Received:Cc:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=ES/EMHGUmaSbeRCX3CI0yTim3Sb9X0FOLth4ZReKF+JYZi2umh4JJHHkDVe3+N68EdEtWjlNZ2opOKuF6Cpe8kAd2sIGFH4uYu4oHV9ofvtrI4eIN9iMCDm+X7oPr/Cl;
Received: from [199.212.90.13] (helo=calamari.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1LxXZw-000E0V-Cu; Sat, 25 Apr 2009 02:25:21 +0000
Message-Id: <F37ECB0D-D4B4-4AB5-A45B-134235961EBC@hopcount.ca>
From: Joe Abley <jabley@hopcount.ca>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p0624087ec61821fc04bf@[10.20.30.158]>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Fri, 24 Apr 2009 22:25:19 -0400
References: <49EDA81E.2000600@ca.afilias.info> <p06240807c613a658a056@[10.20.30.163]> <49EE276C.5070706@ca.afilias.info> <p06240814c613f23a6960@[10.20.30.163]> <49EEF042.3070109@ca.afilias.info> <alpine.LFD.1.10.0904221147060.7510@newtla.xelerance.com> <49EFA9C3.6090903@ca.afilias.info> <alpine.LFD.1.10.0904231142590.7788@newtla.xelerance.com> <alpine.LFD.1.10.0904241052270.26808@newtla.xelerance.com> <p06240813c61798e7e391@[10.20.30.158]> <20090424174722.GA30229@isc.org> <alpine.LFD.1.10.0904241514300.28588@newtla.xelerance.com> <14F6B497-51D8-4719-B3C2-814A7D20940D@hopcount.ca> <p0624087bc618150afc11@[10.20.30.158]> <90A997B2-4700-479E-9E49-CB84E2FCCBCA@hopcount.ca> <p0624087ec61821fc04bf@[10.20.30.158]>
X-Mailer: Apple Mail (2.930.3)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Key sizes was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2009 02:24:05 -0000

On 24 Apr 2009, at 22:18, Paul Hoffman wrote:

>> If there is a practical limit to key size due to concerns about  
>> peoples' validators running out of steam, then I think it needs to  
>> be stated clearly. Otherwise as a zone administrator my instinct  
>> will be to use keys that are as large as possible, since the costs  
>> incurred by doing so are going to be borne by other people and all  
>> I see is benefit (in the form of increased comfort level and a  
>> better story for upper management, even if there is no practical  
>> improvement in security).
>
> That's certainly your option. Another option is to listen to  
> cryptographers about what is possible with a reasonable amount of  
> money and time, and stop there.

My point is that given the choice between "doing what is currently  
considered safe" and "exceeding what is currently considered safe by a  
factor of four with no additional cost to you" I think many otherwise  
uninformed zone administrators are conditioned to choose the latter.

>> On the flip side, how can the "real cost" for validator-operators  
>> that you assert be quantified?
>
> Exactly.

So your point is that you don't know how to quantify it?

>> I have a hand in running a couple of non-validating resolvers for a  
>> local ISP. 35,000 customers are served by two machines running BIND  
>> 9.5.x on FreeBSD 7.1, and the CPUs are 96% idle at peak load.  
>> That's a fair amount of headroom, even ignoring the fact that the  
>> ISP in question is in the process of replacing each machine with an  
>> ECMP/OSPF cluster of two machines in order to simplify ad-hoc  
>> maintenance.
>>
>> I'm not arguing about the assertion that there is a limit to what  
>> validators can tolerate. However, it seems reasonable to ask if  
>> it's the kind of limit that we need to worry about, and not, the  
>> kind of limit that is always going to fit in that headroom as  
>> validator hardware gets upgraded on a typical cycle and DNSSEC  
>> deployment proceeds over time.
>
> How will you know? Why not stop when enough is enough?

Because there's no incentive for a zone administrator to choose  
anything other than the largest key her tools let her create. So what  
is "enough"?


Joe

v2.23.0 | Report a Bug | By Email