To phrase it differently: NSEC3 should be an exception.

Olafur

On Jun 9, 2016, at 12:37 PM, Marek Vavruša <marek@vavrusa.com> wrote:

+1 to Matthijs.

NSEC has been a sane default for a while and people who want NSEC3 have already enabled it.
Changing it would break the rule of least surprise in current deployments, when zones signed using
and old policy would be NSEC and zones signed with a new policy NSEC3.
That's something not trivially fixable once the zones are published.

Marek

On 9 June 2016 at 01:48, Matthijs Mekking <matthijs@pletterpet.nl> wrote:
Hi Jan,

On 09-06-16 10:26, Jan Včelák wrote:
> Hello guys,
>
> we are currently tuning the DNSSEC default parameters. And we haven't
> settled on whether NSEC or NSEC3 should be used for authenticated
> denial. Tough decision...

NSEC4! ;)

> We would appreciate any comments from your point of view. :-)

Obviously the DNSSEC policy is a local one, so there is no good default
that satisfies all.

RFC 6781 states that for smaller zones and structured zones, NSEC3
doesn't make much sense: In these cases, the use of NSEC is
preferred to ease the work required by signers and validating
resolvers.

Larger zones may benefit from NSEC3's Opt-Out and zone enumeration
mitigation. If these are of a concern to people I would say they have to
do the minimal extra effort to change the parameter. These are usually
organizations that know how to.

So my vote goes to NSEC.

Best regards,
  Matthijs


>
> Jan
> _______________________________________________
> knot-dns-users mailing list
> knot-dns-users@lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
>

_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users