[ksk-rollover] alternatives to 5110 for automating roll-over

Matthew Pounsett matt at conundrum.com
Sat Mar 30 10:56:01 UTC 2019


On Sat, 30 Mar 2019 at 11:42, Paul Wouters <paul at nohats.ca> wrote:

>
> > On Mar 30, 2019, at 11:03, Matthew Pounsett <matt at conundrum.com> wrote:
> >
> > Given the operational experience we have with large response sizes, it
> seems like having three KSKs in the DNSKEY set (on top of one or more ZSKs,
> depending on the current status of a ZSK roll) plus RRSIGs from two
> different keys is probably not feasible.
>
> What negative operational experience with large dnskey sets are you
> talking about? I’ve seen 12 in TLDs without any noticeable impact.
>

Perhaps I've misunderstood, but I was under the impression Geoff has
significant evidence of issues when DNS messages are large enough to
fragment in IPv6.  Five RRs in a DNSKEY set plus two RRSIGs seems to me to
be fairly likely to result in fragmentation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190330/8c11d857/attachment.html>


More information about the ksk-rollover mailing list