[dns-operations] [Ext] Re: .SE moving from DNSSEC algo 5 to 8

Edward Lewis edward.lewis at icann.org
Mon Dec 11 18:17:40 UTC 2017

On 12/11/17, 02:35, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:
>    > On Dec 11, 2017, at 1:55 AM, Arsen STASIC <arsen.stasic at univie.ac.at> wrote:
>    > 
>    > Have you considered using NSEC3 with opt-out (for memory reasons)?
>    Based on a day or two old copy of the .com zone, I see
>    743,602 secure delegations from .com.  Given that .com
>    has around 130 million domains[1], it makes much sense
>    for .com signing to be sparse.
>    On the other hand, a freshly downloaded .se zone has
>    by comparison only 1,768,559 NS RRsets and 823,476 DS
>    RRsets.  See NSEC3 would not significantly reduce the
>    zone size, and could even make it larger (larger NSEC3
>    qnames and values).  NSEC3 also increases the sizes of
>    negative responses.
>    So for a zone like .se, which makes the entire zone
>    content public, and has around 50% or greater DNSSEC
>    adoption, NSEC may well be the more sound choice.

Another factor is the size of NXDOMAIN responses.  NSEC needs up to 2 records (+2 signatures) to deny a name exists (one for the name sought and one for the applicable wildcard).  NSEC3 needs up to 3 records (+3 signatures) to deny a name exists (one for the name sought, another to reveal the closest encloser, and a third for the wildcard hanging off the closest encloser).

"Up to" in both cases means that sometimes, one NSEC or NSEC3 record can prove more than one thing.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4586 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171211/1b42ee51/attachment.bin>

More information about the dns-operations mailing list