Re: [DNSOP] DNSKEY RRset size and the root

In message , Liang Zhu writes: > On Fri, Jan 23, 2015 at 10:12 AM, Nicholas Weaver > wrote: > > > >> On Jan 23, 2015, at 10:01 AM, Paul Hoffman wrote: > >> > >> What is the problem with #2? IP fragmentation happens, and The Internet is > >> expected to work with it. That is, of what possible

Re: [DNSOP] DNSKEY RRset size and the root

On Fri, Jan 23, 2015 at 10:12 AM, Nicholas Weaver wrote: > >> On Jan 23, 2015, at 10:01 AM, Paul Hoffman wrote: >> >> What is the problem with #2? IP fragmentation happens, and The Internet is >> expected to work with it. That is, of what possible value is "inform their >> customers"? > > The I

Re: [DNSOP] DNSKEY RRset size and the root

The Internet has unfortunately decreed that Fragmentation Does Not Work with IPv4, and Really Does Not Work with IPv6. It seems this issue is being escalated as we speak! "Internet fragmentation worries world business leaders" http://www.cbc.ca/m/news/technology/internet-fragmentation-worrie

Re: [DNSOP] DNSKEY RRset size and the root

> Mark Andrews > Friday, January 23, 2015 12:50 PM > In message <48ae7501-a80a-40b1-8fda-34984aa4d...@icsi.berkeley.edu>, Nicholas > Weaver writes: >> ... >> >> The Internet has unfortunately decreed that Fragmentation Does Not Work >> with IPv4, and Really Does Not Work w

Re: [DNSOP] DNSKEY RRset size and the root

In message <48ae7501-a80a-40b1-8fda-34984aa4d...@icsi.berkeley.edu>, Nicholas Weaver writes: > > > > On Jan 23, 2015, at 10:01 AM, Paul Hoffman > wrote: > > > > What is the problem with #2? IP fragmentation happens, and The Internet > is expected to work with it. That is, of what possible value

Re: [DNSOP] DNSKEY RRset size and the root

> On Jan 23, 2015, at 10:01 AM, Paul Hoffman wrote: > > What is the problem with #2? IP fragmentation happens, and The Internet is > expected to work with it. That is, of what possible value is "inform their > customers"? The Internet has unfortunately decreed that Fragmentation Does Not Work

Re: [DNSOP] DNSKEY RRset size and the root

On Jan 23, 2015, at 9:40 AM, Liang Zhu wrote: > There have been repeated questions about how big DNSSEC keys should > be. We are also interested in understanding at what point IPv4 > fragmentation becomes common in UDP responses as key size increases, > since IPv4 fragmentation brings performance

Re: [DNSOP] DNSKEY RRset size and the root

On Thu, Jan 22, 2015 at 10:12 AM, Paul Wouters wrote: > > On Wed, 21 Jan 2015, David Conrad wrote: > >> Thanks very much for this note. The issue of the ZSK length is something >> that has popped up on various radars on various occasions and given the >> recent publicity over at imperialviolet a

Re: [DNSOP] DNSKEY RRset size and the root

On Wed, 21 Jan 2015, David Conrad wrote: Thanks very much for this note. The issue of the ZSK length is something that has popped up on various radars on various occasions and given the recent publicity over at imperialviolet and sockpuppet on 1024 bit RSA, it'd be good to explore this in mor

Re: [DNSOP] DNSKEY RRset size and the root

Paul, > Let me clarify things a bit, Thanks very much for this note. The issue of the ZSK length is something that has popped up on various radars on various occasions and given the recent publicity over at imperialviolet and sockpuppet on 1024 bit RSA, it'd be good to explore this in more det

[DNSOP] DNSKEY RRset size and the root

Let me clarify things a bit, The root ZSK key is 1024 because of assumed packet size issues. nohats.ca is currently publishing 3 2048 bit keys, and has a message size as reported by dig of 1163. That's even under 1500 (and came in on UDP). So what's the problem of moving the root ZSK to 2048?