On Wed, Apr 27, 2016 at 11:29 AM, Matthew Pounsett <m...@conundrum.com>
wrote:
>
>
> On 19 April 2016 at 08:13, Shane Kerr <sh...@time-travellers.org> wrote:
>
>> Also, I'm not sure that it is fair to say "most zones are not signed
>> with NSEC". I guess most *TLD* are signed with NSEC3 either for zone
>> size reasons or in a (misguided IMHO) attempt to keep the zone contents
>> secret. But is this true for domains that are not delegation-only? And
>> even if it is, are those zones opt-out?
>>
>> I feel certain someone has this data. Ed Lewis, would this be something
> that would be possible to pull out of your survey of signed zones?
>
For just the TLDs, "most" is true; I have some data at:
https://www.huque.com/app/dnsstat/category/tld/dnssec/
In short, 895 or 79.1% of the signed TLDs are using NSEC3.
But that still leaves a non-trivial ~ 21% with NSEC.
--
Shumon Huque
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
