----- Original Message ----- 
From: "Olafur Gudmundsson" <o...@ogud.com>
To: <dnsop@ietf.org>
Sent: Wednesday, January 13, 2010 6:19 PM
Subject: [DNSOP] Priming query transport selection

> 26 signed glue records will require about 5K answer if each RRSet is
> signed by a single 1024 bit RSA key.
> This will never fit into an ENDS0 answer as number of implementations
> have 4096 byte hard limit on answer size.
> As of today all the root servers instances that my host reached answered a TCP
> query.

Why would glue records be signed? That's not normal in DNSSEC, AFAIK.
Querying the IANA testbed

dig ns . @ns.iana.org. +dnssec

signs only the NS RRset, which seems reasonable.
Is the testbed not representative in some way?

[ Worried I'm saying something stupid - haven't thought about DNSSEC recently ]
George
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to