Matthew, At 2016-04-27 08:29:46 -0700 Matthew Pounsett <m...@conundrum.com> wrote:
> On 19 April 2016 at 08:13, Shane Kerr <sh...@time-travellers.org> wrote: > > > Also, I'm not sure that it is fair to say "most zones are not signed > > with NSEC". I guess most *TLD* are signed with NSEC3 either for zone > > size reasons or in a (misguided IMHO) attempt to keep the zone > > contents secret. But is this true for domains that are not > > delegation-only? And even if it is, are those zones opt-out? > > I feel certain someone has this data. Ed Lewis, would this be > something that would be possible to pull out of your survey of > signed zones? I don't have a copy of any of the easily-available big TLD (com/net/org), but I guess it should be relatively easy to look at the DS records there and see whether NSEC or NSEC3 is used by delegations? I did ask some developers, and they said that PowerDNSSEC, which is very popular for hosting in Holland at least, defaults to NSEC. IIRC the NL domain is the one with the largest portion of DNSSEC signed zones (although I don't know what portion of the overall DNSSEC picture this is). For small to medium zones NSEC seems to make more sense to me... even for large zones once you have a certain amount of the zone that needs RRSIG (delegation doesn't require signatures in NSEC3 opt-out, but DS records still do). Cheers, -- Shane
pgp9I0SAIA25c.pgp
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
