[dns-operations] .PL DNSSEC broken again

Dave Lawrence tale at dd.org
Tue Jun 18 03:29:48 UTC 2019


Mark Andrews writes:
> I’ve yet to see a case where “on the fly” signing is necessary.  All
> you need to do is be able to publish different RRsets with their matching
> RRSIGs all of which can be precomputed.

Theoretically true, but there are indeed some zones, such as some CDN
zones, which for which the number of possible RRsets is so great that
in practical terms you can't precompute and store them all.

You can argue against the legitimacy of that architecture, but that's
a different claim.

That said, I basically agree with you that a perceived need for
on-the-fly signing is not a real blocker for most of the non-adoption.




More information about the dns-operations mailing list