[dns-operations] signing a zone with NSEC3 records.

Florian Weimer fweimer at bfk.de
Thu Sep 10 14:06:09 UTC 2009

* bert hubert:

> Also, NSEC3 significantly increases the size of NXDOMAIN responses
> (which need 3 NSEC3 records, plus associated signatures).This increase
> will often push the datagram carrying a response beyond the point
> where it needs to be fragmented over several packets.

On the other hand, NSEC3 *decreases* the size of QTYPE=ANY responses
from resolvers for unsigned delegations.  This may be beneficial to
certain legacy MTAs.  (But I guess the days to pay respect to those
poor MTAs are finally over.)

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list