<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
<br>
Mark Andrews wrote:
<blockquote cite="mid:20150311063121.945602B380DB@rock.dv.isc.org"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-size: 16px;" lang="x-western"><pre wrap="">In message <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:1FB3DB93-EB08-4864-9D3C-E48DA9FC5278@redbarn.org"><1FB3DB93-EB08-4864-9D3C-E48DA9FC5278@redbarn.org></a>, P Vixie writes:
</pre><blockquote type="cite" style="color: #000000;"><pre wrap=""><span class="moz-txt-citetags">> </span>Tsig won't scale for something like this. Please consider sig0.
</pre></blockquote><pre wrap=""><!---->
I've got no objection to sig(0) but why won't it scale? There is
a existing relationship so public key cyptography isn't needed.</pre></div>
</blockquote>
<br>
sneaker net for key management, including revocation, emergency key
swaps, for delegation-mostly domains that might have tens of millions of
different subdomain operators, is a recipe for disaster.<br>
<br>
<blockquote cite="mid:20150311063121.945602B380DB@rock.dv.isc.org"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-size: 16px;" lang="x-western">
<pre wrap="">
Sig(0) would require the KEY record to be in the parent zone or to
be held by the registrar in a seperate database. In the later case
you either need a database of KEY records or a database of TSIG
keys. As far as I can tell there is no difference in the scaling
requirements.</pre>
</div>
</blockquote>
<br>
the KEY RR would also be SIG(0) updateable.<br>
<br>
<blockquote cite="mid:20150311063121.945602B380DB@rock.dv.isc.org"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-size: 16px;" lang="x-western">
<pre wrap="">
Sig(0) might be marginally more secure as only one side holds
material than needs to be kept private.
</pre>
</div>
</blockquote>
<br>
take that marginal difference and multiply it by six billion to get the
internet wide impact over time.<br>
<br>
<div class="moz-signature">-- <br>Paul Vixie<br>
</div>
</body></html>