On May 16, 2014, at 6:41 AM, Ted Lemon <ted.le...@nominum.com> wrote:
> On May 16, 2014, at 8:18 AM, Andrew Sullivan <a...@anvilwalrusden.com> wrote: >> But it seems to me we ought to >> be more enthusiastic than resigned in this case, even if we have to >> hold our collective nose as well. Either those who understand how the >> DNS works will document what to do, or else people who have no clue >> will make more "improvements". > > The big can of worms to which I was referring in the previous message was > DNSSEC. Deploying CDN functionality with DNSSEC is hard. Not impossible, > but definitely hard. No its not. All you have to be willing to do is release the constraint on "all signatures offline". Doing online signatures allows all the CDN functionality you want to be DNSSEC validated (not like DNSSEC really does much good for A records anyway...). And even 4096b RSA signatures only take a handful of milliseconds to construct on the fly, you can cache signature validity for minutes even in the very dynamic case, and this is one of those operations that parallelize obscenely well. If you want a funky-python-server, that really bends DNS, and supports dynamic signatures (including dynamic NSEC3 lies), tell me, I can give you my (ugly-ass) source. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
