[dns-operations] nsec vs nsec3 use

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Tue Apr 13 17:31:38 UTC 2021

On 13. 04. 21 18:40, Viktor Dukhovni wrote:
>      - With NSEC you benefit from aggressive negative caching reducing
>        query load on your authoritative server.

Tiny detail: NSEC3 without opt-out also allows aggressive caching with 
the same benefits but it's less common.  (so NSEC does give advantage there)

> Tony> Maybe use NSEC3 if you have a stunt DNS server like Cloudflare's that is
> able to generate narrow NSEC3 denials

I think even for online minimal responses, NSEC will be a slightly 
better choice.  (Cloudflare are such an example)

More information about the dns-operations mailing list