To:
Mark.Andrews@isc.org
Cc:
bmanning@isi.edu, dnssec@cafax.se
From:
Bill Manning <bmanning@isi.edu>
Date:
Wed, 18 Sep 2002 19:56:15 -0700 (PDT)
In-Reply-To:
<200209190217.g8J2HaB5062363@drugs.dv.isc.org> from "Mark.Andrews@isc.org" at "Sep 19, 2 12:17:36 pm"
Sender:
owner-dnssec@cafax.se
Subject:
Re: key length & fragmentation
% > See the point above. If IDS/firewalls toss UDP fragments, % > we loose. % % Firewalls that toss UDP fragments are inherently broken. % % This is no different to CISCO's PIX firewall. It drops % DNS/UDP responses that are greater that 512 bytes whether % they are fragmented or not. No one here would argue that % we should not proceed with EDNS because of this. True. % Similarly we should not constrain EDNS because some firewalls % can't cope with fragmented UDP. The firewalls should be fixed % in the meantime the clients are perfectly able to reduce the % the advertised buffer size if they wish however that default % should not be this small. Small leverage Mark. I'm trying to find a "happy" medium that will give us "strong enough" keys while allowing the responses to traverse these broken firewalls. The uphill battle will be steeper if we deploy things we know are incompatable with the deployed infrastructure. I'm presuming that in 12-24months time that we will have more compelling reasons to use larger key lengths and with some folks depending on verifiable answers, the leverage will be stronger to get CAPEX gear replaced. % % Mark % -- % Mark Andrews, Internet Software Consortium % 1 Seymour St., Dundas Valley, NSW 2117, Australia % PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org % -- --bill