To:
Brian.Wellington@nominum.com (Brian Wellington)
Cc:
bmanning@isi.edu, scottr@antd.nist.gov, dnssec@cafax.se
From:
Bill Manning <bmanning@isi.edu>
Date:
Wed, 18 Sep 2002 16:00:37 -0700 (PDT)
In-Reply-To:
<Pine.LNX.4.44.0209181552110.21236-100000@spratly.nominum.com> from Brian Wellington at "Sep 18, 2 03:53:35 pm"
Sender:
owner-dnssec@cafax.se
Subject:
Re: key length & fragmentation
% On Tue, 17 Sep 2002, Bill Manning wrote: % % > % Short answer - "no" I don't think operational issues should dictate key % > % lengths, but huge keys don't necessarily mean more secure either :) % > % > See the point above. If IDS/firewalls toss UDP fragments, % > we loose. % % Maybe the right answer is to tune the EDNS packet size to avoid UDP % fragmentation? 4096 is bigger than most MTUs, but 1280 probably isn't, % and should be enough for most common responses. % % Brian perhaps, but does that leave us w/ "strong enough" keys? -- --bill