[dns-operations] [Ext] Re: .SE moving from DNSSEC algo 5 to 8
Edward Lewis
edward.lewis at icann.org
Mon Dec 11 18:17:40 UTC 2017
On 12/11/17, 02:35, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:
> > On Dec 11, 2017, at 1:55 AM, Arsen STASIC <arsen.stasic at univie.ac.at> wrote:
> >
> > Have you considered using NSEC3 with opt-out (for memory reasons)?
>
> Based on a day or two old copy of the .com zone, I see
> 743,602 secure delegations from .com. Given that .com
> has around 130 million domains[1], it makes much sense
> for .com signing to be sparse.
>
> On the other hand, a freshly downloaded .se zone has
> by comparison only 1,768,559 NS RRsets and 823,476 DS
> RRsets. See NSEC3 would not significantly reduce the
> zone size, and could even make it larger (larger NSEC3
> qnames and values). NSEC3 also increases the sizes of
> negative responses.
>
> So for a zone like .se, which makes the entire zone
> content public, and has around 50% or greater DNSSEC
> adoption, NSEC may well be the more sound choice.
Another factor is the size of NXDOMAIN responses. NSEC needs up to 2 records (+2 signatures) to deny a name exists (one for the name sought and one for the applicable wildcard). NSEC3 needs up to 3 records (+3 signatures) to deny a name exists (one for the name sought, another to reveal the closest encloser, and a third for the wildcard hanging off the closest encloser).
"Up to" in both cases means that sometimes, one NSEC or NSEC3 record can prove more than one thing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4586 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171211/1b42ee51/attachment.bin>
More information about the dns-operations
mailing list