Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Paul Wouters <> Wed, 02 April 2014 03:06 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 07CEE1A00D4 for <>; Tue, 1 Apr 2014 20:06:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id juD_Er3-B726 for <>; Tue, 1 Apr 2014 20:06:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CE5D81A00D5 for <>; Tue, 1 Apr 2014 20:06:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 226EF813B5; Tue, 1 Apr 2014 23:06:38 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1396407998; bh=KvqvDYitoL2DBFfWV14G9VbhPrk2dlFRBX+1szQbPfU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=QZ0s6iUK4ibiOeG3aFGKEFBoA/YTZZ8unqOZlFgB2kyHRd/75FgEqS2hqKhdboTTO ZitCp5kVggVf+ZNrHsQT6MiaatdUCoZQcTotd7TlOLLUADlsbGwbtVVgWmQRJIWVVa OVTeopjmYZrYnqjGoVh5PMYRsCCVNWLSW6hZufhY=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id s3236baH021924; Tue, 1 Apr 2014 23:06:37 -0400
X-Authentication-Warning: paul owned process doing -bs
Date: Tue, 1 Apr 2014 23:06:37 -0400 (EDT)
From: Paul Wouters <>
To: Olafur Gudmundsson <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: dnsop <>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Apr 2014 03:06:49 -0000

On Tue, 1 Apr 2014, Olafur Gudmundsson wrote:

> Over the years I have been saying use keys that are appropriate, thus for someone like Paypal it makes sense to have strong keys,
> but for my private domain does it matter what key size I use?

That depends. How much money is in your paypal account?

Seriously though, security strength should not depend on who uses
it. Just like opensource software does not tell you for what you can
use the software. No one can make consistent judgement calls on that.

We already see security that is only available to "important
players", like EV certificates, and browser vendors pinning their own
certificates, OS vendors hardcoding their IP addresses. It's a position
of priviledge. We should not design or deploy to accomodate that. One
the of advantages of DNSSEC is that we can give everyone the highest
levels of security. Don't make a security economy class.

People running giant DNS resolver farms can add a few boxes to their
farm. People running resolvers on the stub can take the extra hit for
the few domains they are resolving.