[dns-operations] signing a zone with NSEC3 records.

Sander Smeenk ssmeenk at freshdot.net
Thu Sep 10 06:50:41 UTC 2009

Quoting Samuel Weiler (weiler at watson.org):

> Unless you have a specific need for NSEC3, use NSEC. unless you
> specifically need it, avoid the complexity.

Maybe it's worth mentioning that with NSEC your zone can be 'spidered',
e.g. i could make an overview of all labels in your zone based on NSEC
records. It's somewhat like allowing AXFR from anyone on your zone(s).

Personally i don't think NSEC3 is so much more 'complex', though it does
grow your (signed) zonefile significantly.

| If TCP/IP handshaking was less formal, 
| perhaps SYN / ACK would be Yo! / 'sup? instead... 
| 4096R/6D40 - 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

More information about the dns-operations mailing list