[dns-operations] .SE moving from DNSSEC algo 5 to 8
Roger Murray
roger.murray at iis.se
Mon Dec 11 17:33:34 UTC 2017
+1
Great answer Viktor. I should have you do all our PR in the future.
Best regards,
/rog
> On 11Dec, 2017, at 08:28 , Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>
>
>> On Dec 11, 2017, at 1:55 AM, Arsen STASIC <arsen.stasic at univie.ac.at> wrote:
>>
>> Have you considered using NSEC3 with opt-out (for memory reasons)?
>
> Based on a day or two old copy of the .com zone, I see
> 743,602 secure delegations from .com. Given that .com
> has around 130 million domains[1], it makes much sense
> for .com signing to be sparse.
>
> On the other hand, a freshly downloaded .se zone has
> by comparison only 1,768,559 NS RRsets and 823,476 DS
> RRsets. See NSEC3 would not significantly reduce the
> zone size, and could even make it larger (larger NSEC3
> qnames and values). NSEC3 also increases the sizes of
> negative responses.
>
> So for a zone like .se, which makes the entire zone
> content public, and has around 50% or greater DNSSEC
> adoption, NSEC may well be the more sound choice.
>
> --
> Viktor.
>
> [1] https://www.verisign.com/en_US/domain-names/dnib/index.xhtml
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171211/05f6e15f/attachment.sig>
More information about the dns-operations
mailing list