On Fri, May 16, 2014 at 7:24 AM, Nicholas Weaver <nwea...@icsi.berkeley.edu>wrote:
> No its not. All you have to be willing to do is release the constraint on > "all signatures offline". Doing online signatures allows all the CDN > functionality you want to be DNSSEC validated (not like DNSSEC really does > much good for A records anyway...). > There's no incompatibility between offline signing and returning different answers to different source IPs; just sign every variant. And even 4096b RSA signatures only take a handful of milliseconds to > construct on the fly, you can cache signature validity for minutes even in > the very dynamic case, and this is one of those operations that parallelize > obscenely well. > You won't survive a trivial DOS from a wristwatch computer with that approach :) Having static answers around greatly increases capacity, by many orders of magnitude. -- Colm
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
