Speaker
Duane Wessels
(Verisign)
Description
In 2023, Verisign changed the DNSSEC signing algorithm for the .EDU, .NET., and .COM TLDs from RSA (algorithm 8) to ECDSA (algorithm 13). In this presentation we describe our conservative, double-signing approach to the algorithm rollovers, and our observations on how DNS query traffic before, during, and after each rollover.
In particular, we make observations on how DNS glue truncation policies impact response sizes, and on the population of recursive resolvers that are unable to fall back to TCP for large, truncated UDP responses. We'll show metrics that we developed for our real-time dashboards to remain informed of potential problems and discuss options for mitigating any significant impacts.
| Talk duration |
|---|
Primary author
Duane Wessels
(Verisign)
