[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Tue Jan 19 09:09:11 UTC 2021

On 1/18/21 11:41 PM, Viktor Dukhovni wrote:
> For the salt to makes sense, and warrant rotation, one would have to
> operate a zone with enough records that some are hard to predict,
> sensitive and yet published (and not visible in transparency logs,
> PTR records, ...).  This is very much a corner case.

Perhaps, but this and some other arguments seem to be even against 
attempts to hide zone contents.  I didn't mean to consider those in my 
post, as you had covered them nicely by the NSEC and opt-out bullets.  
My personal opinion is that most TLDs would better use NSEC instead of 
NSEC3, though it's possible that I just don't know their motivation for 
the policy.

More information about the dns-operations mailing list