On 3/27/23, 9:08 PM, "dns-operations on behalf of Viktor Dukhovni"
wrote:
>Perhaps, but until the mythical post-quantum DNSSEC is needed, online
>signers will use ECDSA, for which denial of existence is already
>sufficiently compact, even with 4 RRSIGs (SOA + 3 NSEC3).
Idle muttering
--- Begin Message ---
<8, RSA-SHA1 vs RSA-SHA1-NSEC3). But a new
on-the-fly denial of existence might prove to be worth it in operations.>>
Well, we are overdue for starting over on dnssec, which we used to do every two
years or so. But does the next generation have the will to do so?
p vixi
From: "p...@redbarn.org"
Date: Tuesday, April 11, 2023 at 11:11 AM
To: "dns-operati...@dns-oarc.net" , Edward Lewis
Subject: Re: [dns-operations] [Ext] Re: Cloudflare TYPE65283
>Well, we are overdue for starting over on dnssec, which we used to do every
>two years or so. But does the next gene
> On 11 Apr 2023, at 9:57 am, Edward Lewis wrote:
>
> Sure, the cost of replacing NSEC and NSEC3 would be another resource record
> type code roll
> (such as 5->8, RSA-SHA1 vs RSA-SHA1-NSEC3). But a new on-the-fly denial of
> existence might
> prove to be worth it in operations.
No such hefty
