<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Dec 19, 2018 at 6:06 PM Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org">ietf-dane@dukhovni.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> On Dec 19, 2018, at 5:20 PM, Warren Kumari <<a href="mailto:warren@kumari.net" target="_blank">warren@kumari.net</a>> wrote:<br>
> <br>
> So, what's going on here? Is this simply sample bias? Is the failover to TCP saving us? Or the predominance of v4? What's actually keping .org running (and I know that it *is* running :-))<br>
<br>
The answers that are not the zone apex DNSKEY RRs, are presumably<br>
signed with just the ZSK, and so don't breach the 1280 byte ceiling.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif">Sure, but to validate <a href="http://www.ietf.org">www.ietf.org</a> I need to fetch the zone apex DNSKEY RR at some point, don't I?<br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Yes, the signed ns set and ds set in .org are both small, but they are not useful if I cannot get the org dnskey itself. </div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
The resolvers that are doing DNSSEC validation and thus request the<br>
DNSKEY RRset, are likely predominantly not behind broken home CPE<br>
routers and the like, and/or fail over to IPv4. So the actual<br>
impact may be low.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif">Yeah, that is what I was trying to say with sampling bias -- the people who run validating recursives may be "more able" than those who don't to get the packets?</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Mind you, I'd still look to avoid triple-signing the DNSKEY RRset.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif">Awww, where is your sense of adventure?</div><div class="gmail_default" style="font-family:verdana,sans-serif">W</div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
-- <br>
Viktor.<br>
<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf</div></div>