[Dnssec-deployment] Why not NSEC3?
vixie at isc.org
Fri Jul 9 16:44:04 EDT 2010
> Date: Fri, 9 Jul 2010 13:38:09 -0400
> From: Edward Lewis <Ed.Lewis at neustar.biz>
> NSEC3 is fine approach if you need to make use of its features. But by
> comparison NSEC is easier to manage and troubleshoot.
kaminsky reminded me recently that white lies are way easier with NSEC3
than with NSEC. H(x)-1 and H(x)+1 are easier to calc than x-1 and x+1
where 'x' is the qname. so, there may be apps for NSEC3 other than where
the overall complexity is warranted or feature level is needed.
More information about the Dnssec-deployment