[dns-operations] .edu domain algorithm recommendation
Samuel Weiler
weiler at watson.org
Tue Aug 17 14:41:18 UTC 2010
Wow, you're getting some different opinions here.
> 7 and 8 are both RECOMMENDED, only 5 is REQUIRED, is it safe to use just
> algorithm 7, and not 5?
Yes, absolutely. As others have said, those requirement levels are
for the software, not for your deployment. As Ed points out, 7 allows
the use of either NSEC or NSEC3, as do 8 and 10, so the choice between
NSEC and NSEC3 really is separate from the choice of hash algorithm
(since all three of these use RSA for signing).
I second Ed's suggestion to use 8, though 7 or 10 are fine, too.
I also second Michael Sinatra's suggestion to use NSEC: it's simpler
and easier to debug if something is screwy. Only use NSEC3 if you
have a compelling need for it.
-- Sam
More information about the dns-operations
mailing list