[dns-operations] nsec vs nsec3 use

Casey Deccio casey at deccio.net
Thu Apr 15 03:30:13 UTC 2021

> On Apr 12, 2021, at 7:51 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> I don't monitor NSEC3 vs. NSEC on a regular basis, but a few weeks back
> I took a survey of at the time ~14.4 million DNSSEC signed domains, of
> which ~10.9 million used NSEC3.

We did a study a few years ago, with a much smaller data set that Viktor's.  But the numbers were very much in the same ballpark:

NSEC3: 83%
NSEC: 13%

But more specifically:

NSEC3 (traditional): 53%
NSEC3 (white lies): 30%
NSEC (traditional): 11%
NSEC (black lies): 2%

Note that the remaining 4% were unclassified because of inconsistent behavior.


> On Apr 13, 2021, at 10:40 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>    - Most zones have no secrets, often just the zone apex and a couple
>      of common labels, "www", "smtp", "mx1", ...

Again, we have some empirical measurements to confirm this.  Nearly 90% of zones signed with NSEC3 have fewer than 10 names.

The full paper is here:

And an OARC presentation on the topic here:


More information about the dns-operations mailing list