[dns-operations] nsec vs nsec3 use
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Tue Apr 13 17:31:38 UTC 2021
On 13. 04. 21 18:40, Viktor Dukhovni wrote:
> - With NSEC you benefit from aggressive negative caching reducing
> query load on your authoritative server.
Tiny detail: NSEC3 without opt-out also allows aggressive caching with
the same benefits but it's less common. (so NSEC does give advantage there)
> Tony> Maybe use NSEC3 if you have a stunt DNS server like Cloudflare's that is
> able to generate narrow NSEC3 denials
I think even for online minimal responses, NSEC will be a slightly
better choice. (Cloudflare are such an example)
More information about the dns-operations
mailing list