On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users
wrote:
> > Viktor Dukhovni:
> > not sufficient market pressure to make it a priority.
> Unfortunately yes, not yet.
> > various load balancers would need to do online DNSSEC signing
> Can you please elaborate why that should be required?
Some of the load balancing is DNS-based, directing users to "nearby"
datacentre locations, that are currently up and not experiencing
overload. So names like "www.google.com" have return addresses with
short TTLs and different content for different queries.
Static DNSSEC signing is a poor fit for this, so signing needs to be
on-the-fly. Cloudflare does this, so there a proof of concept, but
it is a non-trivial implementation requiring some engineering effort,
well beyond just spinning up BIND or Knot for a statically signed zone.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
