[dns-operations] DNS Flag Day 2020 will become effective on 2020-10-01

Simon Arlott simon at arlott.org
Sat Sep 12 08:26:59 UTC 2020


On 11/09/2020 09:29, Viktor Dukhovni wrote:
>     2.  Algorithm 13 (and just starting 15) adoption is growing,
>         lowering packet sizes for many signed zones.

Maybe someone could convince the registries for large TLDs like .com,
.net, .uk that they should support algorithms that have been defined
for 3 years?

Some of us are stuck on RSA because ED25519 is still not supported by
the registry. Some registries (.au) won't even respond to email on this
topic.

(Having personally forced an application to give up its ECDSA private
key by reusing the secret nonce, it's not an algorithm that I trust.)


> While 1232 is in the ballpark, it may be too conservative, the case
> for 1232 rather than perhaps say 1400 didn't look that compelling.

I think a buffer size of 1232 that is simply based on the minimum IPv6
MTU is too low. If I implemented this change I would be setting it based
on my MTU of 1500.

Have you considered the effect this has on the root zone during a KSK
rollover?

Looking at the current response size of 864 bytes if you add another
2048-bit RSA DNSKEY and RRSIG it'll reach 1425 bytes:
https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-change.pdf

-- 
Simon Arlott



More information about the dns-operations mailing list