[dns-operations] signing a zone with NSEC3 records.
regnauld at x0.dk
Thu Sep 10 13:56:55 UTC 2009
bert hubert (bert.hubert) writes:
> I can tell you that the people hosting hundreds of thousands of zones
> see this as a major issue, and in general, that DNSSEC is not on their
> radar or roadmap at all.
Well, not necessarily, but it's definitely not on their roadmap with
their existing architecture. The only way you're going to solve this
in a reasonable fashion is by splitting your auth servers into multiple
pools of NS tuples, with a cap on the number of zones each NS tuple can
load, and a hash to balance load across all tuples.
> So their silence should not be seen as an indication that there are no problems
Everybody's waiting to see what everyone else is doing.
More information about the dns-operations