[dns-operations] signing a zone with NSEC3 records.

David Blacka davidb at verisign.com
Thu Sep 10 13:17:15 UTC 2009

On Sep 10, 2009, at 5:01 AM, bert hubert wrote:

> On Thu, Sep 10, 2009 at 10:41 AM, Mark Andrews<marka at isc.org> wrote:
>> It is significantly more complex and more expensive operationally
>> for both the authoritative servers and the validating resolvers.
>> Unless you really need the features NSEC3 brings there is no point
>> in using it.
> Also, NSEC3 significantly increases the size of NXDOMAIN responses
> (which need 3 NSEC3 records, plus associated signatures).This increase
> will often push the datagram carrying a response beyond the point
> where it needs to be fragmented over several packets.

That isn't what I've seen.  Well, the NXDOMAIN *are* bigger, sure, but  
not so big as to fragment.  For the zones the I'm working on, the  
NXDOMAIN is about 1000 bytes, well below most path MTUs.

So either you are using much larger ZSKs, are thinking that the path  
MTUs are much smaller than I do, or are exaggerating for effect.

David Blacka                          <davidb at verisign.com>
Sr. Engineer          VeriSign Platform Product Development

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090910/b04ac574/attachment.bin>

More information about the dns-operations mailing list