[dns-operations] signing a zone with NSEC3 records.
Florian Weimer
fweimer at bfk.de
Thu Sep 10 14:06:09 UTC 2009
* bert hubert:
> Also, NSEC3 significantly increases the size of NXDOMAIN responses
> (which need 3 NSEC3 records, plus associated signatures).This increase
> will often push the datagram carrying a response beyond the point
> where it needs to be fragmented over several packets.
On the other hand, NSEC3 *decreases* the size of QTYPE=ANY responses
from resolvers for unsigned delegations. This may be beneficial to
certain legacy MTAs. (But I guess the days to pay respect to those
poor MTAs are finally over.)
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the dns-operations
mailing list