----- Original Message ----- From: "Olafur Gudmundsson" <o...@ogud.com> To: <dnsop@ietf.org> Sent: Wednesday, January 13, 2010 6:19 PM Subject: [DNSOP] Priming query transport selection
> 26 signed glue records will require about 5K answer if each RRSet is > signed by a single 1024 bit RSA key. > This will never fit into an ENDS0 answer as number of implementations > have 4096 byte hard limit on answer size. > As of today all the root servers instances that my host reached answered a TCP > query. Why would glue records be signed? That's not normal in DNSSEC, AFAIK. Querying the IANA testbed dig ns . @ns.iana.org. +dnssec signs only the NS RRset, which seems reasonable. Is the testbed not representative in some way? [ Worried I'm saying something stupid - haven't thought about DNSSEC recently ] George _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop