Consider dropping inactive ZSK from secure-zone defaults #824

Habbie opened this Issue May 21, 2013 · 1 comment


None yet

2 participants

Habbie commented May 21, 2013

secure-zone generates KSK+2xZSK currently, with one ZSK inactive. Not many users appear to care or even know about this inactive ZSK. Removing it would drop our DNSKEY RRset size to below 512 bytes for the default algo (8), and this improves interoperability (for example, Google DNS right now has trouble dealing with DNSKEY RRsets of this size).

mind04 commented May 21, 2013

yes please

@Habbie Habbie closed this in 496073b May 21, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment