[dns-operations] What would it take...
Paul Vixie
paul at redbarn.org
Wed Mar 11 08:38:08 UTC 2015
Mark Andrews wrote:
> In message <1FB3DB93-EB08-4864-9D3C-E48DA9FC5278 at redbarn.org>, P Vixie writes:
>> > Tsig won't scale for something like this. Please consider sig0.
>
> I've got no objection to sig(0) but why won't it scale? There is
> a existing relationship so public key cyptography isn't needed.
sneaker net for key management, including revocation, emergency key
swaps, for delegation-mostly domains that might have tens of millions of
different subdomain operators, is a recipe for disaster.
> Sig(0) would require the KEY record to be in the parent zone or to
> be held by the registrar in a seperate database. In the later case
> you either need a database of KEY records or a database of TSIG
> keys. As far as I can tell there is no difference in the scaling
> requirements.
the KEY RR would also be SIG(0) updateable.
>
> Sig(0) might be marginally more secure as only one side holds
> material than needs to be kept private.
take that marginal difference and multiply it by six billion to get the
internet wide impact over time.
--
Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150311/26d0e329/attachment.html>
More information about the dns-operations
mailing list