[dns-operations] signing a zone with NSEC3 records.
Florian Weimer
fweimer at bfk.de
Fri Sep 11 07:04:37 UTC 2009
* Mark Andrews:
> In message <82my52dhda.fsf at mid.bfk.de>, Florian Weimer writes:
>> * bert hubert:
>>
>> > Also, NSEC3 significantly increases the size of NXDOMAIN responses
>> > (which need 3 NSEC3 records, plus associated signatures).This increase
>> > will often push the datagram carrying a response beyond the point
>> > where it needs to be fragmented over several packets.
>>
>> On the other hand, NSEC3 *decreases* the size of QTYPE=3DANY responses
>> from resolvers for unsigned delegations. This may be beneficial to
>> certain legacy MTAs. (But I guess the days to pay respect to those
>> poor MTAs are finally over.)
>
> How do you come to that conclusion?
Looking at packets?
> % dig +dnssec any abc.org @B0.ORG.AFILIAS-NST.org.
The relevant case is DO=0. Then the NSEC3 records aren't included
because their owner name doesn't match.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the dns-operations
mailing list