DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Bill Manning <bmanning@isi.edu>
cc: Scott Rose <scottr@antd.nist.gov>, <dnssec@cafax.se>
From: Brian Wellington <Brian.Wellington@nominum.com>
Date: Wed, 18 Sep 2002 15:53:35 -0700 (PDT)
In-Reply-To: <200209171814.g8HIE3p03471@boreas.isi.edu>
Sender: owner-dnssec@cafax.se
Subject: Re: key length & fragmentation

On Tue, 17 Sep 2002, Bill Manning wrote:

> % Short answer - "no" I don't think operational issues should dictate key
> % lengths, but huge keys don't necessarily mean more secure either :)
> 
> 	See the point above. If IDS/firewalls toss UDP fragments,
> 	we loose.

Maybe the right answer is to tune the EDNS packet size to avoid UDP 
fragmentation?  4096 is bigger than most MTUs, but 1280 probably isn't, 
and should be enough for most common responses.

Brian

Follow-Ups:
- Re: key length & fragmentation
  - From: Bill Manning <bmanning@isi.edu>

References:
- Re: key length & fragmentation
  - From: Bill Manning <bmanning@isi.edu>

Prev by Date: Re: DS and the deployed base
Next by Date: Re: key length & fragmentation
Prev by thread: Re: key length & fragmentation
Next by thread: Re: key length & fragmentation
Index(es):
- Date
- Thread

Home | Date list | Subject list