Re: [DNSOP] Current DNSOP thread and why 1024 bits

Paul Wouters <> Thu, 03 April 2014 04:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E9C911A0009 for <>; Wed, 2 Apr 2014 21:07:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gb8yf3GwHIaN for <>; Wed, 2 Apr 2014 21:07:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 813DD1A0002 for <>; Wed, 2 Apr 2014 21:07:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 133E4813B1; Thu, 3 Apr 2014 00:07:37 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1396498057; bh=k5DwwUJwh6lVg2f/ytv9M9sQfl4xI3L93JqKQvHcwkE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=aCWL0cX433KhiTfWiNtzVJsDgtX/SN7Gv9VJBZGUIiKbuucsEcssj27uObw8DqHaE rvacFSK1UKw6G8YPaYpLTvoFiE7Jf3FQiTszB3HJgLmSQpc+wGb7hFRYgUwQ2ZFSNf qu6KXqWURBlH4gCRkLLTSynBxjc6ovYDnLmVoMDc=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id s3347a5b007906; Thu, 3 Apr 2014 00:07:36 -0400
X-Authentication-Warning: paul owned process doing -bs
Date: Thu, 3 Apr 2014 00:07:36 -0400 (EDT)
From: Paul Wouters <>
To: David Conrad <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: "" <>
Subject: Re: [DNSOP] Current DNSOP thread and why 1024 bits
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Apr 2014 04:07:46 -0000

On Thu, 3 Apr 2014, David Conrad wrote:

> We want to make security decisions that actually improve security.
> Making a decision that results in people turning security off because the (perceived at least) performance impact is too large does not improve security.

I'm happy to hear the browser vendors taking DNS latency seriously, and
look forward to their contributions towards solving that, with solutions
such as

Perhaps they will even advise running resolvers on the stubs with
pre-fetching of low TTL records so they can get out of the DNS caching
business themselves.

> People are already doing insanely stupid things (e.g., not following TTLs) because they eke out a couple of extra milliseconds in reduced RTT per query (which, multiplied by the zillions of queries today's high content websites require, does actually make a difference).

Luckily, I think we've seen the chrome/speed pendulum is already
swinging back, and the browser vendors are seeing that users do
care about more than just about latency.

> Having not looked into it sufficiently, I do not have a strong opinion as to whether increasing key lengths will result in people either not signing or turning off validation, but I believe it wrong to disregard performance considerations.

My previous email explained why I believe those performance considerations
were wrong.  I am not disregarding those out of principle, I'm disregarding
because I don't agree with the reasons offered. Big resolvers can add more
hardware without pain. End nodes like phones have plenty of CPU to use
up while waiting for latency, and then some.