[dns-operations] .SE moving from DNSSEC algo 5 to 8
Arsen STASIC
arsen.stasic at univie.ac.at
Mon Dec 11 06:55:54 UTC 2017
Thanks for sharing this with us.
Have you considered using NSEC3 with opt-out (for memory reasons)?
-arsen
* Roger Murray <roger.murray at iis.se> [2017-12-08 14:38 (+0000)]:
>The zone was taking up about 1.6GB in memory before we started the algorithm roll, with all the signatures in the zone the size went up to 2.3GB.
>
>/rog
>> On 8Dec, 2017, at 08:56 , Jakob Schlyter <jakob at kirei.se> wrote:
>>
>> Do you have any numbers to share?
>>
>>
>> jakob
>>
>>
>> Forwarded message:
>>
>> From: Richard Lamb <slamb at xtcn.com <mailto:slamb at xtcn.com>>
>> To: Jakob Schlyter <jakob at kirei.se <mailto:jakob at kirei.se>>
>> Subject: Re: [dns-operations] .SE moving from DNSSEC algo 5 to 8
>> Date: Wed, 6 Dec 2017 09:09:38 -0800
>>
>> excellent...
>> How much bigger did the SE zonefile get due to the double signing of DS records?
>>
>>
>>
>> On Wed, Dec 6, 2017 at 12:21 AM, Jakob Schlyter <jakob at kirei.se <mailto:jakob at kirei.se>> wrote:
>> FYI, .SE is under way moving from RSA/SHA-1 (5) 2048/1024 to RSA/SHA-256
>> (8) 2048/2048 - http://dnsviz.net/d/se/dnssec/ <http://dnsviz.net/d/se/dnssec/>. DS at root is not yet
>> updated.
>>
>> jakob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171211/d3d4afd6/attachment.sig>
More information about the dns-operations
mailing list