[dns-operations] .SE moving from DNSSEC algo 5 to 8

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Dec 11 07:28:39 UTC 2017

> On Dec 11, 2017, at 1:55 AM, Arsen STASIC <arsen.stasic at univie.ac.at> wrote:
> Have you considered using NSEC3 with opt-out (for memory reasons)?

Based on a day or two old copy of the .com zone, I see
743,602 secure delegations from .com.  Given that .com
has around 130 million domains[1], it makes much sense
for .com signing to be sparse.

On the other hand, a freshly downloaded .se zone has
by comparison only 1,768,559 NS RRsets and 823,476 DS
RRsets.  See NSEC3 would not significantly reduce the
zone size, and could even make it larger (larger NSEC3
qnames and values).  NSEC3 also increases the sizes of
negative responses.

So for a zone like .se, which makes the entire zone
content public, and has around 50% or greater DNSSEC
adoption, NSEC may well be the more sound choice.


[1] https://www.verisign.com/en_US/domain-names/dnib/index.xhtml

More information about the dns-operations mailing list