Viktor Dukhovni wrote: > The idea is to log the DNSKEY RRs observed at each zone apex. > Without the proposed flag, one would also have to log denial of > existence which would make the logs much too large.
Can you expand on what you mean by "much too large"? There are already existing large scale passive DNS systems that log every RRset that they observe, and on relatively modest amounts of hardware. Is transparency for DNSSEC really all that less tractable than the "log every RRset" problem? -- Robert Edmonds _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop