[dns-operations] .SE moving from DNSSEC algo 5 to 8

Roger Murray roger.murray at iis.se
Mon Dec 11 17:31:44 UTC 2017


Hey Arsen,


> On 11Dec, 2017, at 07:55 , Arsen STASIC <arsen.stasic at univie.ac.at> wrote:
> 
> Thanks for sharing this with us.

Happy to help and share.
> 
> Have you considered using NSEC3 with opt-out (for memory reasons)?
> 

We did some brainstorming a year or two ago about going over to NSEC3, but we decided to stay with NSEC. We were not really worried about the memory footprint and we shortly after that decided to even open our zones openly to the public for download.

/rog
> -arsen
> 
> * Roger Murray <roger.murray at iis.se> [2017-12-08 14:38 (+0000)]:
>> The zone was taking up about 1.6GB in memory before we started the algorithm roll, with all the signatures in the zone the size went up to 2.3GB.
>> 
>> /rog
>>> On 8Dec, 2017, at 08:56 , Jakob Schlyter <jakob at kirei.se> wrote:
>>> 
>>> Do you have any numbers to share?
>>> 
>>> 
>>> jakob
>>> 
>>> 
>>> Forwarded message:
>>> 
>>> From: Richard Lamb <slamb at xtcn.com <mailto:slamb at xtcn.com>>
>>> To: Jakob Schlyter <jakob at kirei.se <mailto:jakob at kirei.se>>
>>> Subject: Re: [dns-operations] .SE moving from DNSSEC algo 5 to 8
>>> Date: Wed, 6 Dec 2017 09:09:38 -0800
>>> 
>>> excellent...
>>> How much bigger did the SE zonefile get due to the double signing of DS records?
>>> 
>>> 
>>> 
>>> On Wed, Dec 6, 2017 at 12:21 AM, Jakob Schlyter <jakob at kirei.se <mailto:jakob at kirei.se>> wrote:
>>> FYI, .SE is under way moving from RSA/SHA-1 (5) 2048/1024 to RSA/SHA-256
>>> (8) 2048/2048 - http://dnsviz.net/d/se/dnssec/ <http://dnsviz.net/d/se/dnssec/>. DS at root is not yet
>>> updated.
>>> 
>>>        jakob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171211/84cde40b/attachment.sig>


More information about the dns-operations mailing list