[dns-operations] .edu domain algorithm recommendation

Samuel Weiler weiler at watson.org
Tue Aug 17 14:41:18 UTC 2010

Wow, you're getting some different opinions here.

> 7 and 8 are both RECOMMENDED, only 5 is REQUIRED, is it safe to use just 
> algorithm 7, and not 5?

Yes, absolutely.  As others have said, those requirement levels are 
for the software, not for your deployment.  As Ed points out, 7 allows 
the use of either NSEC or NSEC3, as do 8 and 10, so the choice between 
NSEC and NSEC3 really is separate from the choice of hash algorithm 
(since all three of these use RSA for signing).

I second Ed's suggestion to use 8, though 7 or 10 are fine, too.

I also second Michael Sinatra's suggestion to use NSEC: it's simpler 
and easier to debug if something is screwy.  Only use NSEC3 if you 
have a compelling need for it.

-- Sam

More information about the dns-operations mailing list