9 Čen
2016
9 Čen
'16
10:54
Hello Jan,
I prefer NSEC unless its a large delegation-centric zone where NSEC3
using opt-out can make sense. I like NSEC because:
* smaller NXDOMAIN response
* easier to grasp
* less bugs in software handling NSEC compared to NSEC3
The DNSSEC Operational Practices, Version 2 lists the well known
argument of zone enumeration
(https://tools.ietf.org/html/rfc6781#section-5.1) but I think DNS zone
data is ok to be public for most cases. Users of the minor cases (e.g.
TLD, OPENPGPKEY users) need not to relay on defaults.
Daniel
On 09.06.16 10:26, Jan Včelák wrote:
Hello guys,
we are currently tuning the DNSSEC default parameters. And we haven't
settled on whether NSEC or NSEC3 should be used for authenticated
denial. Tough decision...
We would appreciate any comments from your point of view. :-)
Jan