[dns-operations] DNSSEC parameter BCP
daniel majela
dmajela at gmail.com
Tue Jun 13 13:19:13 UTC 2023
Hello.
Thank you very much.
Best regards
Em seg., 12 de jun. de 2023 às 14:06, Viktor Dukhovni <
ietf-dane at dukhovni.org> escreveu:
> On Mon, Jun 12, 2023 at 10:41:12AM -0400, Viktor Dukhovni wrote:
>
> > On Mon, Jun 12, 2023 at 10:37:22AM -0300, daniel majela wrote:
> >
> > > What is the best algorithm for ksk and zsk?
> >
> > The BCP algorithm is ECDSAP256SHA256(13). This is both more secure and
> > more compact than RSA. It is in wide use:
> >
> > https://stats.dnssec-tools.org/
> > https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
> >
> > Today, out of 22,010,850 known signed zones, the number with algorithm
> > 14 KSKs is 9,982,219 or just over 45%.
> >
> > If you choose NSEC3, set the additional iteration count to 0, and avoid
> > opt-out unless you're operating a particularly large (10M+ delegations)
> > zone that is thinly signed. An empty salt is also sensible.
>
> I was reminded off-list that I neglected to recommend NSEC as the BCP
> default choice for end-user zones. Much simpler than NSEC3, and again
> smaller response sizes.
>
> In addition, best to optimise for "agility": keep your TTLs reasonably
> short, rarely more than one hour, and ideally shorter. That way, if
> anything does go wrong, you should be able to recover faster.
>
> You don't currently get to choose (through your registrar) the TTL of
> the DS RRs in the parent zone, perhaps some day... In the mean time,
> many registry now default DS TTLs to 1 hour or less. Some still have
> DS TTLs as high as one day.
>
> --
> Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774
(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230613/a7847be6/attachment.html>
More information about the dns-operations
mailing list