On Thursday, March 12, 2015 12:39:17 PM Florian Weimer wrote: > On 03/12/2015 11:36 AM, Jan Včelák wrote: > >> And does anyone actually use opt out with NSEC3? > > > > Yes, .com for example. My impression was that Opt-Out was the selling > > point of NSEC3, not the domain name hashing. > > Okay. Are they interested in switching to NSEC5?
I was trying to say that TLDs use NSEC3 because of Opt-Out. This seems to be true, based on the information Edward sent in the "Using NSEC3 for opt-out" thread. The target audience for NSEC5 are people, who care about the zone enumeration. They could be using Minimally Covering NSEC Records or NSEC3 White Lies at the moment. Both of these mechanisms already require on-line signing and private zone signing keys on all authoritative servers. NSEC5 just removes the necessity to have keys on the servers. Jan _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop