[dns-operations] nsec vs nsec3 use
casey at deccio.net
Thu Apr 15 03:30:13 UTC 2021
> On Apr 12, 2021, at 7:51 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> I don't monitor NSEC3 vs. NSEC on a regular basis, but a few weeks back
> I took a survey of at the time ~14.4 million DNSSEC signed domains, of
> which ~10.9 million used NSEC3.
We did a study a few years ago, with a much smaller data set that Viktor's. But the numbers were very much in the same ballpark:
But more specifically:
NSEC3 (traditional): 53%
NSEC3 (white lies): 30%
NSEC (traditional): 11%
NSEC (black lies): 2%
Note that the remaining 4% were unclassified because of inconsistent behavior.
> On Apr 13, 2021, at 10:40 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> - Most zones have no secrets, often just the zone apex and a couple
> of common labels, "www", "smtp", "mx1", ...
Again, we have some empirical measurements to confirm this. Nearly 90% of zones signed with NSEC3 have fewer than 10 names.
The full paper is here:
And an OARC presentation on the topic here:
More information about the dns-operations