Viktor Dukhovni wrote:
> The idea is to log the DNSKEY RRs observed at each zone apex.
> Without the proposed flag, one would also have to log denial of
> existence which would make the logs much too large.

Can you expand on what you mean by "much too large"? There are already
existing large scale passive DNS systems that log every RRset that they
observe, and on relatively modest amounts of hardware. Is transparency
for DNSSEC really all that less tractable than the "log every RRset"
problem?

-- 
Robert Edmonds

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to