To:
scottr@nist.gov (Scott Rose)
Cc:
bmanning@isi.edu, dnssec@cafax.se
From:
Bill Manning <bmanning@isi.edu>
Date:
Tue, 17 Sep 2002 12:57:27 -0700 (PDT)
In-Reply-To:
<003101c25e82$2537ab80$b9370681@BARNACLE> from Scott Rose at "Sep 17, 2 03:40:58 pm"
Sender:
owner-dnssec@cafax.se
Subject:
Re: key length & fragmentation
% > % In the tests - what were the average size of the KEY RRsets? % > % > single keys. RSA/SHA1 - 512 & 1024, which generated % > "reasonable" packets. RSA/SHA1 - 4096 bits, which generated % > UDP fragmentation. % > % % I think all of these issues need to be addressed in some sort of DNSOPS RFC % or something. Trouble is that most of us have been too busy trying to get % the protocol to stop moving that we haven't given much thought to stuff like % operational key length. I'm prepared to do the "or something" bit. % It has been my intention (when I can find some time) to get some security % policy folk to look at DNSSEC and offer suggestions. I've poked about some and have sent bits/pieces off to some crypto folks. Would you like to share notes? % % Scott % -- --bill