[dns-operations] signing a zone with NSEC3 records.

Florian Weimer fweimer at bfk.de
Fri Sep 11 07:04:37 UTC 2009

* Mark Andrews:

> In message <82my52dhda.fsf at mid.bfk.de>, Florian Weimer writes:
>> * bert hubert:
>> > Also, NSEC3 significantly increases the size of NXDOMAIN responses
>> > (which need 3 NSEC3 records, plus associated signatures).This increase
>> > will often push the datagram carrying a response beyond the point
>> > where it needs to be fragmented over several packets.
>> On the other hand, NSEC3 *decreases* the size of QTYPE=3DANY responses
>> from resolvers for unsigned delegations.  This may be beneficial to
>> certain legacy MTAs.  (But I guess the days to pay respect to those
>> poor MTAs are finally over.)
> How do you come to that conclusion?

Looking at packets?

> % dig +dnssec any abc.org @B0.ORG.AFILIAS-NST.org.

The relevant case is DO=0.  Then the NSEC3 records aren't included
because their owner name doesn't match.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list