On Fri, Feb 19, 2021 at 10:58 AM Wes Hardaker <wjh...@hardakers.net> wrote:
> > Greetings all, > > Viktor and I have been working on a BCP to provide guidance on selecting > reasonable NSEC3 parameters. We'd love your feedback and for dnsop to > consider adopting it. > > > A new version of I-D, draft-hardaker-dnsop-nsec3-guidance-02.txt > has been successfully submitted by Wes Hardaker and posted to the > IETF repository. > > Name: draft-hardaker-dnsop-nsec3-guidance > Revision: 02 > Title: Guidance for NSEC3 parameter settings > Document date: 2021-02-19 > Group: Individual Submission > Pages: 7 > URL: > https://www.ietf.org/archive/id/draft-hardaker-dnsop-nsec3-guidance-02.txt > Status: > https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/ > Htmlized: > https://datatracker.ietf.org/doc/html/draft-hardaker-dnsop-nsec3-guidance > Htmlized: > https://tools.ietf.org/html/draft-hardaker-dnsop-nsec3-guidance-02 > Diff: > https://www.ietf.org/rfcdiff?url2=draft-hardaker-dnsop-nsec3-guidance-02 > > Abstract: > NSEC3 is a DNSSEC mechanism providing proof of non-existence by > promising there are no names that exist between two domainnames > within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly > disclosing the bounding domainname pairs. This document provides > guidance on setting NSEC3 parameters based on recent operational > deployment experience. > > I think this (excellent) document could benefit by including an initial section comparing NSEC and NSEC3 (briefly). And, in the first part of the Recommendations to Zone Publishers, add the simple guidance, "If you don't think you would benefit from the features of NSEC3, you should consider using NSEC instead." Maybe throw in an observation about the rate of change or size of a zone, not needing to hash (on either the resolver or authority) for queries, particularly queries for names that do not exist, and the non-value of Flags (Opt-Out) in leaf zones with no delegations. Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
