-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 11/11/2010 07:49 PM, Matt Larson wrote: > On Thu, 11 Nov 2010, Andrew Sullivan wrote: >> argument by just signing the data. > > That's simply the conservative, operationally prudent course of > action. I suspect there is cause to be conservative. Thus, I have performed a test with BIND 9.7.1 and NSD 3.2.6, signing root-servers.net (test RSASHA256 2048 ksk and 1024 zsk). And checked the response sizes for the prime query and a query to a.root-servers.net. These results: . NS (BIND): 4525 . NS (NSD): 829 (unchanged from today) a.root-servers.net A (BIND): 4557 a.root-servers.net A (NSD): 4575 The difference for a.root-servers.net is because of compression implementation, and on UDP most likely would be cut off at 40xx. The prime response from BIND includes the RRSIGs over the root server A and AAAA records (at 164 bytes data each, 21 times). This is of course a very quick test, and details would need a serious investigation. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzdYWcACgkQkDLqNwOhpPg8PwCfbPOCTN3UpL6Pn0qRjMAwsIM6 GEgAoJa8FWcscolFwKbxuA81S09Aduk+ =lK1P -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
