I suppose most of you are aware of the plans for signing the root zone by ICANN/VeriSign presented at the last RIPE meeting
<http://www.ripe.net/ripe/meetings/ripe-59/presentations/uploads//presentations/Tuesday/Plenary%2014:00/Abley-DNSSEC_for_the_Root_Zone.mId7.pdf> According to the draft timeline (slide 25), the first signed zone should appear on one of the root name servers in January. Now would be a good time to check whether your network is transparent for DNS packets that use the ENDS0 extension for large segments, see for example <http://labs.ripe.net/content/preparing-k-root-signed-root-zone> and <https://www.dns-oarc.net/oarc/services/replysizetest>. Note that all current BIND 9 releases set the EDNS0 "DO" flag (request for DNSSEC records) and use a default segment size of 4096 bytes by default in iterative queries even if DNSSEC is disabled in the configuration. -- Alex _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
