[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)

Matthijs Mekking matthijs at pletterpet.nl
Tue Jan 19 07:39:04 UTC 2021

On 19-01-2021 02:02, Viktor Dukhovni wrote:
> On Mon, Jan 18, 2021 at 08:31:36PM +0000, Paul Vixie wrote:
>> On Mon, Jan 18, 2021 at 03:54:49PM +0000, Roy Arends wrote:
>>> I agree with you.
>> So do I. But I'm concerned about that. Most of the operators of dnssec
>> machinery have not been born yet, and most dnssec machinery that will
>> ever be used has not been created yet. I don't think those future operators
>> and creators will read this mailing list's archives. Where can we put the
>> agreed wisdom of our era so that it can be easily and persistently found
>> both in this and future eras?
>> (Same for the empty salt thread, and likely many others past and future.)
> I guess a dnsop BCP draft is called for, but I'm somewhat cycle-starved
> to spin up a new draft.  If anyone can get that started, I'm happy to
> coauthor, review, ... but starting a BCP draft from scratch is more
> effort than I can muster at the moment.

It doesn't need to be from scratch. There is RFC 6781 "DNSSEC 
Operational Practices, Version 2" but that is horribly out of date.

* It prefers RSA/SHA-256 algorithm (ECDSA was n/a at the time).
* It prefers NSEC3 for large unstructured zones.
* It says 100 iterations is not excessive, but costly.
* It does not know about CDS/CDNSKEY records.
* It does not know about multi signer models.

In my opinion RFC 6781 should be updated or obsoleted.

- Matthijs

More information about the dns-operations mailing list