On Feb 23, 2010, at 10:40 AM, Paul Wouters wrote: > On Mon, 22 Feb 2010, Doug Barton wrote: > >> On 02/22/10 05:14, Roy Arends wrote: >>> On Feb 22, 2010, at 4:44 AM, W.C.A. Wijngaards wrote: >>>> The deployment of NSEC3-signed toplevel domains is a giant hash >>>> collision test of typo dictionaries. >>> >>> Not really, most (will) use Opt-Out. >> >> Has anyone done a side-by-side comparison of nsec/nsec3 +/- opt-out with >> the benefits and drawbacks of each? If such a document already exists >> and I've just missed it my apologies. > > Not that I know of, but for a TLD of 1.2M entries, we decided to use > NSEC3 without optout. To the signer machine, there is not that much > difference, especially when you take in signature re-use. So apart > from the 10M+ zones, I don't really see the use of optout much. Unless > your nameservers are old 32bit hardware and stuck with 3GB per bind process.
Hi Doug, We (Nominet UK) operate on a register of over 8M names, distributed over several second level domains, of which co.uk is by far the largest. For us, NSEC3 is the default. We decided to stay away from NSEC on all delegation centric zones we operate, including the UK top level domain. Staying away from NSEC will keep our zones lightweight and flexible, considering we dynamically update them by the minute. Due to OptOut, the resulting DNSSEC overhead in terms of size, incremental zone transfers, occasional full zone transfers, memory footprint, CPU usage, etc, are negligible. I don't really see the benefit of using NSEC. Too much redundant crypto and name leakage in NSEC in light of no real benefits. Kind Regards Roy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
