On Mon, 22 Feb 2010, Doug Barton wrote:
On 02/22/10 05:14, Roy Arends wrote:
On Feb 22, 2010, at 4:44 AM, W.C.A. Wijngaards wrote:
The deployment of NSEC3-signed toplevel domains is a giant hash
collision test of typo dictionaries.
Not really, most (will) use Opt-Out.
Has anyone done a side-by-side comparison of nsec/nsec3 +/- opt-out with
the benefits and drawbacks of each? If such a document already exists
and I've just missed it my apologies.
Not that I know of, but for a TLD of 1.2M entries, we decided to use
NSEC3 without optout. To the signer machine, there is not that much
difference, especially when you take in signature re-use. So apart
from the 10M+ zones, I don't really see the use of optout much. Unless
your nameservers are old 32bit hardware and stuck with 3GB per bind process.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
