[afnog] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley jabley at hopcount.ca
Wed May 19 14:18:41 UTC 2010


On 2010-05-19, at 05:36, Phil Regnauld wrote:

> Joe Abley (joe.abley) writes:
>> 
>> Note that only a tiny handful of the $BIGNUM zones on the Internet are signed at present, however, so the practical increase in traffic due to DNSSEC today (or in July) will be small.
> 
> 	... if you enable DNSSEC validation, note.

Even if you don't enable DNSSEC validation, if the zone is signed and you are running recent software you will still get large responses (e.g. BIND9 and unbound both set DO=1 even with DNSSEC validation turned off). This was the reason we trod so gently as we rolled out signed RRSets in the root zone.


Joe




More information about the afnog mailing list