Hi list,
We plan a DNSSEC signing change for the ch. and li. zone files.
Introduction:
Both NSEC and NSEC3 are mechanisms that provide signed DNS records as
proof of non-existence for a given name or associated Resource Record
Type in a DNSSEC signed zone. While they serve the same primary purpose,
NSEC3 offers added features, such as not directly disclosing bounding
domain name pairs and providing "opt-out support." This latter feature
allows large registries to cover blocks of unsigned delegations with a
single NSEC3 record, thereby only signing as many NSEC3 records as there
are signed DS or other RRsets in the zone.
Recent trends and developments:
Since 2021, there's been a notable increase in the percentage of domain
names with DNSSEC for .ch, jumping from 6% to 49% [1]. Additionally, the
TLD zone files for both .ch and .li have been made publicly accessible
for download in recent years [2]. These developments have rendered the
argument for using NSEC3 with opt-out less compelling.
Our action plan:
SWITCH is set to transition from NSEC3 (utilizing opt-out) to NSEC for
both the .ch and .li TLD zones. Given the high percentage of domain
names already employing DNSSEC, this shift will result in only a modest
increase in the size of the zone files. Importantly, transitioning to
NSEC offers several benefits [3]:
* Enhanced performance and reduced latency
* Decreased resource utilization on both authoritative and recursive servers
* Potential bolstering of resilience against specific types of DoS attacks
Scheduled transition dates:
.li: 10th November 2023, 8 am CET
.ch: 10th November 2023, 10 am CET
Impact assessment:
We expect no operational impacts for end users. However, we value
feedback and observations. If you have concerns or notice any anomalies
related to this transition, please don't hesitate to contact us.
[1] https://www.nic.ch/statistics/dnssec/
[2] https://zonedata.switch.ch/
[3] https://datatracker.ietf.org/doc/html/rfc8198
--
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
https://switch.ch https://swit.ch/linkedin https://swit.ch/twitter
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch