[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)
vladimir.cunat+ietf at nic.cz
Tue Jan 19 09:09:11 UTC 2021
On 1/18/21 11:41 PM, Viktor Dukhovni wrote:
> For the salt to makes sense, and warrant rotation, one would have to
> operate a zone with enough records that some are hard to predict,
> sensitive and yet published (and not visible in transparency logs,
> PTR records, ...). This is very much a corner case.
Perhaps, but this and some other arguments seem to be even against
attempts to hide zone contents. I didn't mean to consider those in my
post, as you had covered them nicely by the NSEC and opt-out bullets.
My personal opinion is that most TLDs would better use NSEC instead of
NSEC3, though it's possible that I just don't know their motivation for
More information about the dns-operations