Re: DNS Server DoS Attacks

["D. J. Bernstein" <djb@cr.yp.to>]

[ post by non-subscriber.  with the massive amount of spam, it is easy to
  miss and therefore delete mis-posts.  your subscription address is
  54830374684695-namedroppers@sublist.cr.yp.to, please post from it or
  fix subscription your subscription address! ]

PGP 2048-bit ElGamal signatures are probably the best choice for
root-zone distribution today: the signature format is reasonably simple
and reasonably well documented, and free signature-checking software is
already widely deployed. Of course, the root-zone protocol can support
multiple signatures on the same file.

Jim Reid writes:
> I can't believe you just said that. Does this mean you have recanted
> on your previous strident objections to DNSSEC? :-)

Have you stopped beating your wife, Jim?

Anyone who wants to see what I've actually said about DNSSEC should read
http://cr.yp.to/djbdns/forgery.html.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>