* Mark Andrews: >> I didn't say it was a DNSSEC problem. I just wanted to note it's >> impossible to secure some existing DNSBL zones using DNSSEC without >> sacrificing some of the functionality which is mentioned in section >> 2.1 in the draft. > > I still don't believe your claim. I can't sign a thousand million RRsets and serve it in a DoS-resilient manner, even with John's partitioning idea (which is rather neat, thanks!). Macro expansion in the client brings down the number of RRsets to a challenging, but manageable level. Chris says there's precedent for that, so I think we can end this subthread (or move the discussion to some place where the topic of DNSSEC scalability would be more on-topic). _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf