Matthew (and Shane), >>>Also, I'm not sure that it is fair to say "most zones are not signed >>>with NSEC". I guess most *TLD* are signed with NSEC3 either for zone >>>size reasons or in a (misguided IMHO) attempt to keep the zone >>>contents secret. But is this true for domains that are not >>>delegation-only? And even if it is, are those zones opt-out? For .nl it is for zone size reasons.
>I did ask some developers, and they said that PowerDNSSEC, which is very popular for >hosting in Holland at least, defaults to NSEC. IIRC the NL domain is the one with the >largest portion of DNSSEC signed zones (although I don't know what portion >of the overall DNSSEC picture this is). Of the 5.628.017 registered domain names, 2.490.637 are signed (roughly 44%). We have a delegation only zone with NSEC3. Regards, Marc Groeneweg SIDN
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
