[Yeti DNS Discuss] 答复: Yeti testbed experience I-D on Github
ljsong at biigroup.cn
Wed Apr 27 15:56:52 UTC 2016
Thanks for the comprehensive review and comment. I response with some prompt
reply in line. Others will be replied or changed later.
>> IPv6 introduces larger IP packet MTU (1280 bytes)
> Larger *minimum* MTU.
>> Is the 512 bytes DNS packet size limitation still observed?
>It is not clear why this sentence is in this paragraph, which is abot KSK
The packets size issue is related to whether to roll the key or not, with a
straightforward plan or prudent one. It is a concern before people make the
decision on KSK rollover.
>> How about longer key with different encryption algorithm?
>All possible "alternative" algorithms (ECDSA, Ed25519) have *shorter* keys.
Yes, it should be edit like " How about longer key or different encryption
>> There is no dynamic update mechanism to inform resolvers and other
>> Internet infrastructure relying on root service of such changes.
>Priming is such a mechanism and should be mentioned.
Agree. It is desired that aggressive use of priming can be used to deal with
the renumbering issue.
>> except the top level apex record
>"top level" and "apex" are redundant.
>> 6 operators use Linux (including Ubuntu, Debian, CentOS).
>And ArchLinux !
>> Since the DNSSEC key of the Yeti root (the KSK) changes often
>> (typically every three months),
>This is currently false.
> Traditional ways include using FTP protocol by doing a wget and using
> dig to get the servers' addresses manually.
>I don't get it. The hints file contain the IP addresses of the servers (the
glue). What's the purpose of dig?
This txt is not from me. I guess it is to use dig command to get the
signature and dnskey , and validate locally ?
More information about the discuss