On Wed, Mar 07, 2012 at 09:30:06AM +0100, Marc Lampo wrote: > Switch from NSEC to NSEC3 !!! > This is a statement with potentially huge consequences, IMHO.
I said "NSEC3 to NSEC", actually. As you noted, switching from NSEC to NSEC3 requires planning: if your domain uses a DNSKEY algorithm less than 7, you'll need to roll to a new algorithm first. However, any algorithm that supports NSEC3 also supports NSEC, so if you decide you don't want NSEC3 and want to revert, you can do so quite easily. I always recommend using 'dnssec-keygen -3' when generating keys, in order to keep one's options open, even though I *don't* recommend NSEC3 for most people. (It places additional computational burdens on both the recursive and authoritative servers, for benefits that are relatively limited if you're not a TLD operator.) I expect we'll switch to using -3 as the default in some future release. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
