On Mon, 18 Apr 2011, George Barwood wrote:
(1) It's my belief that almost all Zones except for the root zone should NOT use a KSK/ZSK split. With the signing of the root zone and many TLDs, manual distribution of trust anchors is likely to be uncommon.
Not true. Any responsible organisation will configure their own zone's trust anchoes in their resolvers, so they can operate internally when their WAN/UPlink is down.
(2) There is no point in using a larger key size than the smallest key size in the parent chain
See 1) Those will benefit from additional strength that seems excessive to any parent.
(3) Using a longer TTL for negative DS responses might be useful. Currently the negative TTL for the com zone is only 900 seconds (the SOA TTL). This is probably appropriate for a NameError (NxDomain) response, but 1 day might be more appropriate for a negative DS response, to improve caching performance and reduce load on servers.
I think this issue should probably looked at in the light of the "child centric" vs "parent centric" issues we have seen. I don't know the right answer, but some others might have better feedback on this. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
