[dns-operations] signing a zone with NSEC3 records.
Samuel Weiler
weiler at watson.org
Wed Sep 9 21:13:18 UTC 2009
> It looks like NSEC3 is a draft but .gov seems to be still using
> NSEC3. It is not clear which mode of operation DNS servers should be
> configured to operate in: NSEC (till NSEC3 becomes a standard) or
> NSEC3. My understanding so far is a DNS server cannot be run in a
> mixed (supporting both NSEC and NSEC3) mode.
The NSEC3 RFC is a proposed standard, just like the ase DNSSECbis
documents.
Unless you have a specific need for NSEC3, use NSEC. NSEC3 was added
to DNSSEC at the behest of a few zone operators who had a specific
need for its functionality -- unless you specifically need it, avoid
the complexity.
Most authoritative servers I know about can serve both NSEC and
NSEC3-signed zones. A given zone should use only one or the other.
-- Sam
More information about the dns-operations
mailing list