[dns-operations] signing a zone with NSEC3 records.

Samuel Weiler weiler at watson.org
Wed Sep 9 21:13:18 UTC 2009

> It looks like NSEC3 is a draft but .gov seems to be still using 
> NSEC3. It is not clear which mode of operation DNS servers should be 
> configured to operate in: NSEC (till NSEC3 becomes a standard) or 
> NSEC3. My understanding so far is a DNS server cannot be run in a 
> mixed (supporting both NSEC and NSEC3) mode.

The NSEC3 RFC is a proposed standard, just like the ase DNSSECbis 

Unless you have a specific need for NSEC3, use NSEC.  NSEC3 was added 
to DNSSEC at the behest of a few zone operators who had a specific 
need for its functionality -- unless you specifically need it, avoid 
the complexity.

Most authoritative servers I know about can serve both NSEC and 
NSEC3-signed zones.  A given zone should use only one or the other.

-- Sam

More information about the dns-operations mailing list