Matthijs Mekking wrote:
> IXFR with DNSSEC is suddenly not so small anymore. Do you recognize
> this?
That is a problem of DNSSEC and, worse, even with the proposal,
neither AXFR nor IXFR won't be so small.
So, if the point of the proposal is to make IXFR with DNSSEC
small, the proposal is wrong.
Even if it is not and something should change, it should be done
only after DNSSEC specification stabilizes (e.g. no new NSEC*
proposals any more for considerable amount of time and most
of NSEC* is obsoleted).
> Olafur and I have some ideas on keeping those zone transfers
> small.
Wrong. With DNSSEC, you can't keep them small.
The conventional wisdom widely deployed by many operators is
not to use DNSSEC, which is not very secure.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
