Hi Jan,
On 09-06-16 10:26, Jan Včelák wrote:
Hello guys,
we are currently tuning the DNSSEC default parameters. And we haven't
settled on whether NSEC or NSEC3 should be used for authenticated
denial. Tough decision...
NSEC4! ;)
We would appreciate any comments from your point of
view. :-)
Obviously the DNSSEC policy is a local one, so there is no good default
that satisfies all.
RFC 6781 states that for smaller zones and structured zones, NSEC3
doesn't make much sense: In these cases, the use of NSEC is
preferred to ease the work required by signers and validating
resolvers.
Larger zones may benefit from NSEC3's Opt-Out and zone enumeration
mitigation. If these are of a concern to people I would say they have to
do the minimal extra effort to change the parameter. These are usually
organizations that know how to.
So my vote goes to NSEC.
Best regards,
Matthijs
Jan
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users