[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q2: crypto algorithm requirements for DNSSEC

To: Rob Austein <sra+namedroppers@hactrn.net>
Subject: Re: Q2: crypto algorithm requirements for DNSSEC
From: Mark.Andrews@isc.org
Date: Wed, 12 Feb 2003 10:00:21 +1100
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Tue, 11 Feb 2003 16:10:18 CDT." <20030211211018.1FDB118ED@thrintun.hactrn.net>

> Counter argument is that having two algorithms means that one can be
> attacked via a break in either algorithm.

	That is why the use of a particular algorithm MUST be
	selectable at runtime both in the signer and resolver.  We
	already have had to withdraw one algorithm.

> So, while I understand the desire to have a fallback strategy, I'm not
> sure that we really have one whether DSA is mandatory or not.

	Well the choices are:
	* Immediate replacement of all resolvers. 
	* Immediate disabling of a algorithm and gradual replacement
	  of all resolvers.

	You will get *much* higher success with the second vs the first.

	Mark

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: Q2: crypto algorithm requirements for DNSSEC
  - From: Derek Atkins <derek@ihtfp.com>

References:
- Re: Q2: crypto algorithm requirements for DNSSEC
  - From: Rob Austein <sra+namedroppers@hactrn.net>

Prev by Date: Re: DNSEXT WGLC: DNSSEC Opt-in
Next by Date: Re: Q2: crypto algorithm requirements for DNSSEC
Previous by thread: Re: Q2: crypto algorithm requirements for DNSSEC
Next by thread: Re: Q2: crypto algorithm requirements for DNSSEC
Index(es):
- Date
- Thread