[dns-operations] signing a zone with NSEC3 records.

bert hubert bert.hubert at netherlabs.nl
Thu Sep 10 09:01:44 UTC 2009

On Thu, Sep 10, 2009 at 10:41 AM, Mark Andrews<marka at isc.org> wrote:
> It is significantly more complex and more expensive operationally
> for both the authoritative servers and the validating resolvers.
> Unless you really need the features NSEC3 brings there is no point
> in using it.

Also, NSEC3 significantly increases the size of NXDOMAIN responses
(which need 3 NSEC3 records, plus associated signatures).This increase
will often push the datagram carrying a response beyond the point
where it needs to be fragmented over several packets.

Fragments are pretty bad at penetrating many corporate and home
firewalls, leading to timeouts and eventually to a large increase in
TCP queries, which similarly have a harder time traversing firewalls,
plus put an operational load on the authoritative servers.


More information about the dns-operations mailing list