Also note we can do both _ta-XXXX/NULL and a EDNS option with
_ta-XXXX/NULL being the short term solution and the EDNS option
being a long term solution. Aggressive negative caching is potentially
going to have a impact on _ta-XXXX/NULL as all the _ta-XXXX labels
are going to be in the same NSEC range.
<zone> NSEC <first-name>.<zone> ...
or
*.<zone> NSEC <second-name>.<zone> ...
Note a zone operator can defeat the aggressive negative caching by
adding records with _ta-xxxx ownernames for the known tags sets.
For a single algorithm KSK roll this would be where xxxx is the old
tag and yyyy the new tag.
_ta-xxxx.<zone>
_ta-xxxxyyyy.<zone> or _ta-yyyyxxxx
_ta-yyyy.<zone>
Note this is also a example of the negative effects of aggressive
negative caching.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
