----- Original Message -----
From: "Joe Abley" <jab...@hopcount.ca>
To: "Tony Finch" <d...@dotat.at>
Cc: "George Barwood" <george.barw...@blueyonder.co.uk>; <dnsop@ietf.org>
Sent: Monday, March 08, 2010 4:22 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>On 2010-03-08, at 11:18, Tony Finch wrote:
>> On Mon, 8 Mar 2010, Joe Abley wrote:
>>>
>>
>>> - signing ROOT-SERVERS.NET would result in potentially-harmful large
>>> responses with no increase in security
>>
>> Can't you deal with this by omitting the root-servers.net RRSIGs from the
>> additional section of responses to queries to the root?
> Are you suggesting that we implement a coordinated code change to all root
> servers in the name of security or stability?
> Diversity in operation and code base is usually thought to be a strength of
> the root server system.
It's interesting to note that currently
dig any . @a.root-servers.net +dnssec
truncates, leading to TCP fallback
but
dig any . @l.root-servers.net +dnssec
does not truncate ( response size is 1906 bytes ).
George
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
