[dns-operations] How .org name server handle large DNS response?
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Dec 21 16:04:51 UTC 2018
> On Dec 21, 2018, at 3:38 AM, Davey Song(宋林健) <ljsong at biigroup.cn> wrote:
>
>> 1. Eliminate unnecessary DNSKEY RRSIGs, one (just by the active KSK)
>> is enough (c.f. .com), but .org sends three, two KSK signatures and
>> even one ZSK signature. Perhaps there's a good reason for this, but
>> it would be good to find a more svelte design.
>
> I guess the reason may be described in https://tools.ietf.org/html/draft-huque-dnsop-multi-provider-dnssec-03#section-2.2.2
Both KSKs have been in place for over a year, and yet only one of the
two KSKs is matched by the DS RRset, while both sign the DNSKEY RRset.
The active ZSK needlessly also signs the DNSKEY RRset. So it does not
quite look like that model. All the nameservers are operated by Afilias.
While two ZSKs are published concurrently, and coexist for their ~1 year
lifetimes (rotated at slightly different times), only one of the two
signs the zone file across all the nameservers:
@a0.org.afilias-nst.info
org. SOA a0.org.afilias-nst.info. noc.afilias-nst.info. ...
org. RRSIG SOA 7 1 900 20190111160052 20181221150052 63812 org. ...
@a2.org.afilias-nst.info
org. SOA a0.org.afilias-nst.info. noc.afilias-nst.info. ...
org. RRSIG SOA 7 1 900 20190111160052 20181221150052 63812 org. ...
@c0.org.afilias-nst.info
org. SOA a0.org.afilias-nst.info. noc.afilias-nst.info. ...
org. RRSIG SOA 7 1 900 20190111155945 20181221145945 63812 org. ...
@b0.org.afilias-nst.org
org. SOA a0.org.afilias-nst.info. noc.afilias-nst.info. ...
org. RRSIG SOA 7 1 900 20190111160052 20181221150052 63812 org. ...
@b2.org.afilias-nst.org
org. SOA a0.org.afilias-nst.info. noc.afilias-nst.info. ...
org. RRSIG SOA 7 1 900 20190111160052 20181221150052 63812 org. ...
@d0.org.afilias-nst.org
org. SOA a0.org.afilias-nst.info. noc.afilias-nst.info. ...
org. RRSIG SOA 7 1 900 20190111155945 20181221145945 63812 org. ...
--
Viktor.
More information about the dns-operations
mailing list