[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: sales.hpcl.co.in not resolving via

I wrote
If the domain owners want to increase the security of their DNS zone, they should switch to SHA-256 (DNSKEY algorithm 8) with 2048- or 3072-bit KSKs, which are smaller but more resistant to hash collision attacks.

An alternate solution for the domain owners might be to sign the DNSKEY RRSet only with the ZSK, rather than with the ZSK and KSK. That could possibly bring the response size below 1500 bytes and avoid fragmentation.

You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/9d6f926f-1a6a-4ad6-99ad-5c18fede3280%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.