Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Jelte Jansen <> Tue, 01 April 2014 13:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1AB601A06BE for <>; Tue, 1 Apr 2014 06:53:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.084
X-Spam-Status: No, score=0.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PIDkBQEVryt5 for <>; Tue, 1 Apr 2014 06:53:03 -0700 (PDT)
Received: from ( [IPv6:2a00:d78:0:147:94:198:152:69]) by (Postfix) with ESMTP id 552AD1A06FF for <>; Tue, 1 Apr 2014 06:53:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;; s=sidn_nl; c=relaxed/relaxed; h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding:x-originating-ip; bh=pjqMgbsF3mZ1Cjzd6Yx62s2uaEsZxiXrH7OsBhcqIOI=; b=JsMAzOXrqlUvAJrU5jfhPS7YQPo2HZELtbJIjIviy2y0IB1FdtcNVR4cJQFoMsxXg9N+R5It75Eyk+G8zbQT/s8dgRWZjzocXaU4LciIRfkhv1ONk7X9pUv0DLszSA23YoX+g96CXBRYccDmmk61Rzhj85cEEbQxSWu976cJ5is=
Received: from kahubcasn01.SIDN.local ([]) by with ESMTP id s31Dqqfu023073-s31Dqqfw023073 (version=TLSv1.0 cipher=AES128-SHA bits=128 verify=CAFAIL); Tue, 1 Apr 2014 15:52:52 +0200
Received: from [] ( by kahubcasn01.SIDN.local ( with Microsoft SMTP Server (TLS) id; Tue, 1 Apr 2014 15:52:49 +0200
Message-ID: <>
Date: Tue, 1 Apr 2014 15:52:28 +0200
From: Jelte Jansen <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <>, Nicholas Weaver <>
References: <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
Cc: "" <>, =?ISO-8859-1?Q?Matth=E4us_Wander?= <>, Bill Woodcock <>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Apr 2014 13:53:05 -0000

On 04/01/2014 03:39 PM, Phillip Hallam-Baker wrote:
> Yes, I agree, but you are proposing a different DNSSEC model to the one
> they believe in.
> The DNS world has put all their eggs into the DNSSEC from Authoritative
> to Stub client model. They only view the Authoritative to Resolver as a
> temporary deployment hack.
> So they resisted the idea of an authenticated Stub-client <-> Resolver
> protocol and they dumb down the crypto so their model will work. 
> Weakening the crypto algorithms to make the architecture work is always
> a sign that the wrong architecture is being applied.

Oh come on.

If anything, one would expect that doing the validation on the end
machines is *easier* despite needing more cycles to do so, since there
is much less work to do and generally much more cycles to spare. So I
don't see your reasoning about 'them' follow up into this conclusion here.

The way I read it, Olafur is asking for people to consider other sizes,
and operational issues, rather than simply saying "double 'em up,
yeeha". One may disagree (I do too, as it happens, for different
reasons), or one can consider it and still come to the conclusion that
2048/4096 are the only right sizes (for now, we'll need better algos
soonish I guess).