[dns-operations] signing a zone with NSEC3 records.

Ondřej Surý ondrej.sury at nic.cz
Thu Sep 10 13:40:33 UTC 2009

On 09/10/2009 02:36 PM, Mark Andrews wrote:
> In message<4AA8ED72.5070707 at nic.cz>, =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= writes:
>> On 09/10/2009 08:50 AM, Sander Smeenk wrote:
>>> Quoting Samuel Weiler (weiler at watson.org):
>>> though it does grow your (signed) zonefile significantly.
>> Nope.  NSEC3 has opt-out feature which allows you to keep down zonefile
>> size compared to NSEC.
> Which only helps if you have a delegation centric zone.  99.9999% of
> zones are not delegation centric zones.

You're right.  I'm bit TLD-centric :), since I guess the TLDs are mostly 
those who care about size of the zone.

  Ondřej Surý
  vedoucí výzkumu/R&D manager
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury at nic.cz    http://nic.cz/
  tel:+420.222745110       fax:+420.222745112

More information about the dns-operations mailing list