Hi, It might also be worth adding a line at the start reminding of the need for NSEC and NSEC3 - namely that the signing and serving of the zone are separate operations and that it is therefore necessry to create records that cover the very large number of non-existent names that lie between the names that do exist.
NSEC and NSEC3 are just different ways to achieve this goal and some people might prefer one above the other. One is NOT better than the other and it is a matter of operational needs that determine which one you select. It may also be worth removing the mention of cryptographic operations. The hashing in NSEC3 is just a way to create new names that cover the same spaces. I imagine that many other schemes could have been dreamt up to do this. Hashing is just a convenient method. John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
