I get that Kiwi's have to have to things differently downunder, It's part of our DNA but if the key size is important cryptographically or not is largely irrelevant. If the rest of the world has chosen 2048bit keys and a longer key lifetime then .nz should run with 2048bit keys if there is no valid technical reason not to, The rest of the world has chosen 2048bit so cpu time/packet sizes is a moot enough point for them to chose it. I've largely ignored DNSSEC for the past 3-4 years as it didn't really seem to have any traction but this seems to have changed, I will look at implementing it again on our network but I'm personally not going to dig into the crypto side of it too much as I imagine a lot of IT people who implement it won't either. From a lay person perspective a 1280bit key is weaker than a 2048bit key, A lay person isn't going to look into it too much to see the key lifetime is different etc etc they will just see we run a smaller number than the rest of the world and naturally think it's weaker which may or may not be true. If the energy, effort and cost of buying a good enough lock or getting a 3m thick blast door is near enough to the same then I will go with the blast door. It's only when the cost to implement is different enough between the two options that I would consider buying a good enough lock. Cosmetic it may be but the people who have to trust DNSSEC aren't the crypto geeks who designed it. Cheers -- Tristram Cheer Network Architect Tel. 09 438 5472 Ext 803 | Mobile. 022 412 1985 Fax. | tristram.cheer(a)ubergroup.co.nz | www.ubergroup.co.nz PS: Follow us on facebook: www.ubergroup.co.nz/fb or twitter https://twitter.com/#!/ubergroupltd -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of bmanning(a)vacation.karoshi.com Sent: Friday, 10 June 2011 8:14 a.m. To: Joel Wiramu Pauling Cc: bmanning(a)vacation.karoshi.com; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] I don't trust the NZRS DNSSEC procedures... Yet On Fri, Jun 10, 2011 at 08:07:22AM +1200, Joel Wiramu Pauling wrote:
On 10 June 2011 07:51,
wrote: Well - thats an easy answer for me:
) bigger keys == bigger packets == more cost of bandwidth ) bigger keys == bigger packets == more cost for CPU ) bigger keys -WITH THE SAME ALGORITHM- are vulnerable to cracks in the algo. So 10years is likely worthless for me.
All valid arguments to be sure. But... then again, this is roughly synonymous with the "why bother locking your front door..." argument.
right. do you get a lock that is "good enough" or are you going to spend the money/effort to maintain a 3m thick blast door while not worrying about the flimsy lath & stucco walls? As young Dean points out, the focus on the keysize sticker on the side'o'thebox is misguided. a well designed crypto/key management system - with a credible understaning of the actual threats - will (nearly) always pick the correct algo & keysize needed for the job. //bill _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog