[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Transition from 2535 to opt-in

To: Roy Arends <Roy.Arends@nominum.com>
Subject: Re: Transition from 2535 to opt-in
From: Derek Atkins <warlord@MIT.EDU>
Date: 07 Dec 2001 17:48:31 -0500
Cc: Ted Lindgreen <ted@tednet.nl>, <namedroppers@ops.ietf.org>
In-Reply-To: Roy Arends's message of "Fri, 7 Dec 2001 18:21:42 +0100 (CET)"
References: <20011207174337.V47758-100000@main>

Roy Arends <Roy.Arends@nominum.com> writes:

> If the "DNSSEC was not designed as a defense against DoS attacks" is used
> as a general statement, why aren't NXT and SIG generated on the fly ?
> EXACTLY, to make sure the system will not be used against a DoS.

Well, partially.  They are not created in real-time because the data
is quazi-static.  Why re-sign the same data over and over when you can
sign it once and re-use the signature?  Also, creating signatures is
an _expensive_ operation.  It was even more so 5+ years ago when 2535
was being written.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: Transition from 2535 to opt-in
  - From: Roy Arends <Roy.Arends@nominum.com>

References:
- Re: Transition from 2535 to opt-in
  - From: Roy Arends <Roy.Arends@nominum.com>

Prev by Date: RE: Transition from 2535 to opt-in
Next by Date: Re: Transition from 2535 to opt-in
Prev by thread: Re: Transition from 2535 to opt-in
Next by thread: Re: Transition from 2535 to opt-in
Index(es):
- Date
- Thread