[dns-operations] How .org name server handle large DNS response?

Anand Buddhdev anandb at ripe.net
Fri Dec 21 18:11:50 UTC 2018

On 21/12/2018 17:04, Viktor Dukhovni wrote:

Hi Viktor,

> Both KSKs have been in place for over a year, and yet only one of the
> two KSKs is matched by the DS RRset, while both sign the DNSKEY RRset.
> The active ZSK needlessly also signs the DNSKEY RRset.  So it does not
> quite look like that model.  All the nameservers are operated by Afilias.

At RIPE NCC, we signed our zones with a Secure64 DNSSEC appliance for
several years. This appliance's defaults are not very good: it publishes
both the active and future KSKs and ZSKs, and signs the DNSKEY RRset
with them. It also signs the DNSKEY RRset with the active ZSK. This
makes for a grand total of 4 keys and 3 signatures.

We overrode the defaults. We disabled publishing the future KSK, and
disabled signing the DNSKEY RRset with the ZSK. This meant that our
DNSKEY RRsets only contained 3 keys: the active KSK, the active ZSK and
the future ZSK. There was only one signature over these keys, by the
active KSK. The only time this grew bigger was when rolling the KSK,
because then we'd have 2 KSKs, 2 ZSKs and 2 RRSIGs.

I think I heard somewhere that .ORG was being signed with a Secure64
DNSSEC appliance. If that's the case, it could explain this situation
with .ORG.

Anand Buddhdev

More information about the dns-operations mailing list