[dns-operations] What would it take...

Paul Vixie paul at redbarn.org
Wed Mar 11 08:38:08 UTC 2015

Mark Andrews wrote:
> In message <1FB3DB93-EB08-4864-9D3C-E48DA9FC5278 at redbarn.org>, P Vixie writes:
>> > Tsig won't scale for something like this. Please consider sig0.
> I've got no objection to sig(0) but why won't it scale?  There is
> a existing relationship so public key cyptography isn't needed.

sneaker net for key management, including revocation, emergency key
swaps, for delegation-mostly domains that might have tens of millions of
different subdomain operators, is a recipe for disaster.

> Sig(0) would require the KEY record to be in the parent zone or to
> be held by the registrar in a seperate database.  In the later case
> you either need a database of KEY records or a database of TSIG
> keys.  As far as I can tell there is no difference in the scaling
> requirements.

the KEY RR would also be SIG(0) updateable.

> Sig(0) might be marginally more secure as only one side holds
> material than needs to be kept private.

take that marginal difference and multiply it by six billion to get the
internet wide impact over time.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150311/26d0e329/attachment.html>

More information about the dns-operations mailing list