[dns-operations] signing a zone with NSEC3 records.

Phil Regnauld regnauld at x0.dk
Thu Sep 10 13:56:55 UTC 2009

bert hubert (bert.hubert) writes:
> I can tell you that the people hosting hundreds of thousands of zones
> see this as a major issue, and in general, that DNSSEC is not on their
> radar or roadmap at all.

	Well, not necessarily, but it's definitely not on their roadmap with
	their existing architecture.  The only way you're going to solve this
	in a reasonable fashion is by splitting your auth servers into multiple
	pools of NS tuples, with a cap on the number of zones each NS tuple can
	load, and a hash to balance load across all tuples.

> So their silence should not be seen as an indication that there are no problems

	Everybody's waiting to see what everyone else is doing.

More information about the dns-operations mailing list