[ksk-rollover] alternatives to 5110 for automating roll-over
Paul Wouters
paul at nohats.ca
Sat Mar 30 10:42:20 UTC 2019
> On Mar 30, 2019, at 11:03, Matthew Pounsett <matt at conundrum.com> wrote:
>
> Given the operational experience we have with large response sizes, it seems like having three KSKs in the DNSKEY set (on top of one or more ZSKs, depending on the current status of a ZSK roll) plus RRSIGs from two different keys is probably not feasible.
What negative operational experience with large dnskey sets are you talking about? I’ve seen 12 in TLDs without any noticeable impact.
Paul
More information about the ksk-rollover
mailing list