* Mark Andrews:
I didn't say it was a DNSSEC problem. I just wanted to note it's
impossible to secure some existing DNSBL zones using DNSSEC without
sacrificing some of the functionality which is mentioned in section
2.1 in the draft.
I still don't believe your claim.
I can't sign a thousand million RRsets and serve it in a DoS-resilient
manner, even with John's partitioning idea (which is rather neat,
thanks!).
Macro expansion in the client brings down the number of RRsets to a
challenging, but manageable level. Chris says there's precedent for
that, so I think we can end this subthread (or move the discussion to
some place where the topic of DNSSEC scalability would be more
on-topic).
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf