Ohne Kommentar (es ging um das hier, und wir alle dachten, wir hätten Kaminski ausgestanden) - Kudos to Vernon:

Now we (including me) have known the dangers and limitations, so should we set max-udp-size to 1220 on every authoritative servers?

Sometimes crazy conspiracy theories make too much sense. Please make up one of your own from some facts:

  • Some known major PKI failures were ostensibly in support of nation states. Remember Comodo and DigiNotar

  • Nation states hate encryption and do whatever they can against it, from trying to outlaw it (e.g. pgp in the U.S.) to trying to legislate weak keys or backdoors in encryption systems (e.g. Clipper, also in the U.S.)

  • DANE and TLSA cannot offer perfect security (nothing can), but would significantly improve the PKI and complicate the work of government snoops and censors.

  • DANE and TLSA depend on DNSSEC.

  • http://www.postfix.org/TLS_README.html#client_tls_dane

  • a quick sample of DNSEC A answers finds them all larger than 1220 bytes

  • switching the DNS from UDP to TCP would fail because of TCP costs including 3 times as many packets, server state, and even time wait exhaustion

  • DNS reflection DoS attacks have been used as reasons for not supporting DNSSEC.

  • this new furor over a dubious DNS security issue is being used indirectly against DNSSEC

  • http://scoreboard.verisignlabs.com/ http://scoreboard.verisignlabs.com/percent-trace.png

Vernon Schryver vjs@rhyolite.com