[dns-operations] How .org name server handle large DNS response?
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Dec 21 18:21:31 UTC 2018
On Fri, Dec 21, 2018 at 07:11:50PM +0100, Anand Buddhdev wrote:
> > Both KSKs have been in place for over a year, and yet only one of the
> > two KSKs is matched by the DS RRset, while both sign the DNSKEY RRset.
> > The active ZSK needlessly also signs the DNSKEY RRset. So it does not
> > quite look like that model. All the nameservers are operated by Afilias.
>
> At RIPE NCC, we signed our zones with a Secure64 DNSSEC appliance for
> several years. This appliance's defaults are not very good: it publishes
> both the active and future KSKs and ZSKs, and signs the DNSKEY RRset
> with them. It also signs the DNSKEY RRset with the active ZSK. This
> makes for a grand total of 4 keys and 3 signatures.
>
> We overrode the defaults. We disabled publishing the future KSK, and
> disabled signing the DNSKEY RRset with the ZSK. This meant that our
> DNSKEY RRsets only contained 3 keys: the active KSK, the active ZSK and
> the future ZSK. There was only one signature over these keys, by the
> active KSK. The only time this grew bigger was when rolling the KSK,
> because then we'd have 2 KSKs, 2 ZSKs and 2 RRSIGs.
>
> I think I heard somewhere that .ORG was being signed with a Secure64
> DNSSEC appliance. If that's the case, it could explain this situation
> with .ORG.
That sounds highly plausible. If anyone involved in DNS for .ORG
is reading this thread, perhaps an approach along the lines mentioned
by Anand would be worth a look.
--
Viktor.
More information about the dns-operations
mailing list