[Yeti DNS Discuss] 答复: Yeti testbed experience I-D on Github

Davey Song(宋林健) ljsong at biigroup.cn
Wed Apr 27 15:56:52 UTC 2016

Thanks for the comprehensive review and comment. I response with some prompt
reply in line. Others will be replied or changed later.

>> IPv6 introduces larger IP packet MTU (1280 bytes)

> Larger *minimum* MTU.
>> Is the 512 bytes DNS packet size limitation still observed?

>It is not clear why this sentence is in this paragraph, which is abot KSK
The packets size issue is related to whether to roll the key or not, with a
straightforward plan or prudent one. It is a concern before people make the
decision on KSK rollover.

>> How about longer key with different encryption algorithm?

>All possible "alternative" algorithms (ECDSA, Ed25519) have *shorter* keys.
Yes, it should be edit like " How about longer key or different encryption

>> There is no dynamic update mechanism to inform resolvers and other 
>> Internet infrastructure relying on root service of such changes.

>Priming is such a mechanism and should be mentioned.
Agree. It is desired that aggressive use of priming can be used to deal with
the renumbering issue. 

>> except the top level apex record

>"top level" and "apex" are redundant.

>> 6 operators use Linux (including Ubuntu, Debian, CentOS).

>And ArchLinux !

>> Since the DNSSEC key of the Yeti root (the KSK) changes often 
>> (typically every three months),

>This is currently false.

> Traditional ways include using FTP protocol by doing a wget and using 
> dig to get the servers' addresses manually.

>I don't get it. The hints file contain the IP addresses of the servers (the
glue). What's the purpose of dig?

This txt is not from me. I guess it is to use dig command to get the
signature and dnskey , and validate locally ?


More information about the discuss mailing list