[dnssec-deployment] binary arthimatic
scottr at nist.gov
Tue Dec 21 08:29:01 EST 2004
> -----Original Message-----
> From: Olaf M. Kolkman [mailto:olaf at ripe.net]
> I am not quite sure where Bill's question originates from.
I don't either, but it's a slow week here, so I'd thought I'd get the
discussion ball rolling. :)
> On Mon, 20 Dec 2004 15:14:46 -0500
> "Scott Rose" <scottr at nist.gov> wrote:
> > Can't say if I really agree with it or not, but considering most .gov
> > policies go with "use a minimum of X bits", the NIST DNS
> Security guide will
> > state something along the lines of choice a) (smallest key).
> > I don't know if that is sufficient, but it should be. Enough
> thought goes
> > into determining the minimum length (by people smarter than I),
> to put trust
> > in it.
> Anybody read draft-ietf-dnsop-dnssec-operational-practices? (Bill
> if you are
> going to deploy I would appreciate a thoughough review and your
> comments on
> what is missing).
I have, and the key length recommendations are consistent from what our
computer security division thinks as well. However, there are people that
would take the guide, and people that are over paranoid and would
over-provision with super sized keys "just to be safe". I belive Bill was
just asking if the concensus was to use the method in the dnssec-ops draft,
or will the community go another (undocumented) route? Of course, correct
me if I'm wrong Bill.
> We have a keylength considderations in there. We are about to
> pop a new version. Maybe even today, if you want a snapshot from the CVS
> please contact me.
> -- Olaf
> ---------------------------------| Olaf M. Kolkman
> ---------------------------------| RIPE NCC
More information about the Dnssec-deployment