I finally got around to use a more sensible setting for my personal domains, i.e. the recommended one.
I did have to refresh my memory on how NSEC3PARAM works by glancing at RFC 5155 though. Maybe something like this at the end of "3. Best-practice for zone publishers" would be helpful: | Since the NSEC3PARAM RR is not used by validating resolvers (see | [RFC5155] section 4) the iterations and salt parameters can be changed | without the need to wait for RRsets to expire from caches. A complete | new NSEC3 chain needs to be constructed and the zone resigned. Section 2.4 is already hinting at this, this spells it out. Thanks, Florian -- I'm not entirely sure you are real. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
