[dns-operations] How .org name server handle large DNS response?

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Dec 21 18:21:31 UTC 2018

On Fri, Dec 21, 2018 at 07:11:50PM +0100, Anand Buddhdev wrote:

> > Both KSKs have been in place for over a year, and yet only one of the
> > two KSKs is matched by the DS RRset, while both sign the DNSKEY RRset.
> > The active ZSK needlessly also signs the DNSKEY RRset.  So it does not
> > quite look like that model.  All the nameservers are operated by Afilias.
> At RIPE NCC, we signed our zones with a Secure64 DNSSEC appliance for
> several years. This appliance's defaults are not very good: it publishes
> both the active and future KSKs and ZSKs, and signs the DNSKEY RRset
> with them. It also signs the DNSKEY RRset with the active ZSK. This
> makes for a grand total of 4 keys and 3 signatures.
> We overrode the defaults. We disabled publishing the future KSK, and
> disabled signing the DNSKEY RRset with the ZSK. This meant that our
> DNSKEY RRsets only contained 3 keys: the active KSK, the active ZSK and
> the future ZSK. There was only one signature over these keys, by the
> active KSK. The only time this grew bigger was when rolling the KSK,
> because then we'd have 2 KSKs, 2 ZSKs and 2 RRSIGs.
> I think I heard somewhere that .ORG was being signed with a Secure64
> DNSSEC appliance. If that's the case, it could explain this situation
> with .ORG.

That sounds highly plausible.  If anyone involved in DNS for .ORG
is reading this thread, perhaps an approach along the lines mentioned
by Anand would be worth a look.


More information about the dns-operations mailing list