Hello. Thank you very much. Best regards
Em seg., 12 de jun. de 2023 às 14:06, Viktor Dukhovni < ietf-d...@dukhovni.org> escreveu: > On Mon, Jun 12, 2023 at 10:41:12AM -0400, Viktor Dukhovni wrote: > > > On Mon, Jun 12, 2023 at 10:37:22AM -0300, daniel majela wrote: > > > > > What is the best algorithm for ksk and zsk? > > > > The BCP algorithm is ECDSAP256SHA256(13). This is both more secure and > > more compact than RSA. It is in wide use: > > > > https://stats.dnssec-tools.org/ > > https://stats.dnssec-tools.org/#/?dnssec_param_tab=0 > > > > Today, out of 22,010,850 known signed zones, the number with algorithm > > 14 KSKs is 9,982,219 or just over 45%. > > > > If you choose NSEC3, set the additional iteration count to 0, and avoid > > opt-out unless you're operating a particularly large (10M+ delegations) > > zone that is thinly signed. An empty salt is also sensible. > > I was reminded off-list that I neglected to recommend NSEC as the BCP > default choice for end-user zones. Much simpler than NSEC3, and again > smaller response sizes. > > In addition, best to optimise for "agility": keep your TTLs reasonably > short, rarely more than one hour, and ideally shorter. That way, if > anything does go wrong, you should be able to recover faster. > > You don't currently get to choose (through your registrar) the TTL of > the DS RRs in the parent zone, perhaps some day... In the mean time, > many registry now default DS TTLs to 1 hour or less. Some still have > DS TTLs as high as one day. > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > -- Daniel Majela Galvão http://br.linkedin.com/pub/daniel-souza/6/1b1/774 (55-012) - 9-8201-9885 (55-012) - 9-9761-1511 (55-012) - 32076909
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
