[dns-operations] signing a zone with NSEC3 records.
Ondřej Surý
ondrej.sury at nic.cz
Thu Sep 10 13:40:33 UTC 2009
On 09/10/2009 02:36 PM, Mark Andrews wrote:
> In message<4AA8ED72.5070707 at nic.cz>, =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= writes:
>> On 09/10/2009 08:50 AM, Sander Smeenk wrote:
>>> Quoting Samuel Weiler (weiler at watson.org):
>>>
>>> though it does grow your (signed) zonefile significantly.
>> Nope. NSEC3 has opt-out feature which allows you to keep down zonefile
>> size compared to NSEC.
>
> Which only helps if you have a delegation centric zone. 99.9999% of
> zones are not delegation centric zones.
You're right. I'm bit TLD-centric :), since I guess the TLDs are mostly
those who care about size of the zone.
Ondrej.
--
Ondřej Surý
vedoucí výzkumu/R&D manager
-------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.sury at nic.cz http://nic.cz/
tel:+420.222745110 fax:+420.222745112
-------------------------------------------
More information about the dns-operations
mailing list