[dns-operations] nsec vs nsec3 use

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Apr 13 01:51:35 UTC 2021

> On Apr 12, 2021, at 6:17 PM, Seth Arnold <seth.arnold at canonical.com> wrote:
> Hello, I'm curious about how many domains are using nsec and how many
> domains are using nsec3. (I realize there's lots of ways to measure "use",
> and I'm not particular about any specific meaning; this is an idle
> curiosity.)
> Are there resources that already track nsec vs nsec3 use in domains or
> requests?

I don't monitor NSEC3 vs. NSEC on a regular basis, but a few weeks back
I took a survey of at the time ~14.4 million DNSSEC signed domains, of
which ~10.9 million used NSEC3.

My dataset is fairly comprehensive, I'm missing no more than ~1 million
domains (likely closer to 0.5 million), most of the missing ones are likely

But, that said, my advice is to use NSEC unless you have an absolutely
compelling case to attempt to deter zone enumeration, or your zone is
so large (e.g. 10 million or more domains) and so sparsely signed, that
opt-out is particularly appealing.


More information about the dns-operations mailing list