[Dnssec-deployment] DNSSEC for .nz, status update
Roy Arends
roy at dnss.ec
Tue Nov 22 14:41:18 EST 2011
On Nov 21, 2011, at 10:54 PM, Mark Andrews wrote:
>
> In message <Prayer.1.3.4.1111212022350.4072 at hermes-2.csi.cam.ac.uk>, Chris Thom
> pson writes:
>> On Nov 21 2011, Steve Crocker wrote, in connection with "nz" being signed,
>>
>>> Congratulations!
>>
>> Yes indeed. It's good to know that DNSSEC has reached even the nethermost
>> part of the globe .... (just from our point of view, of course)
>>
>> I noticed that "nz" is using NSEC rather than NSEC3. With only 17 distinct
>> names (the apex, one SRV, one DNAME, and 14 delegations) there cannot be
>> much incentive to keep the set secret. Not that this has stopped even
>> smaller zones using NSEC3. Perhaps the most comical is the TLD "xn--kprw13d"
>> which is signed using NSEC3 despite the fact that it has *no* names except
>> the apex, where there is a DNAME redirecting to "xn--kpry57d".
>
> Some people just like to make nameservers work harder than they need too.
>
>> Of the 20 TLDs newly signed this calendar year, just 3 have used NSEC
>> rather than NSEC3 ("co", "mm" and now "nz"). The overall statistics are
>> that 27 out of 84 signed TLDs use NSEC rather than NSEC3, although this
>> count is biased by the 11 IANA test zones (which use NSEC).
>
> NSEC3 is pointless in lots of zone. It is pointless in IP6.ARPA leaf zones
> and any other zones with a regular structure like IP6.ARPA. You
> can walk them using plain DNS.
Opt-Out also helps folks to chose NSEC3 over NSEC.
Roy
More information about the Dnssec-deployment
mailing list