[Dnssec-deployment] DNSSEC for .nz, status update

Roy Arends roy at dnss.ec
Tue Nov 22 14:41:18 EST 2011

On Nov 21, 2011, at 10:54 PM, Mark Andrews wrote:

> In message <Prayer. at hermes-2.csi.cam.ac.uk>, Chris Thom
> pson writes:
>> On Nov 21 2011, Steve Crocker wrote, in connection with "nz" being signed,
>>> Congratulations!
>> Yes indeed. It's good to know that DNSSEC has reached even the nethermost
>> part of the globe .... (just from our point of view, of course)
>> I noticed that "nz" is using NSEC rather than NSEC3. With only 17 distinct
>> names (the apex, one SRV, one DNAME, and 14 delegations) there cannot be
>> much incentive to keep the set secret. Not that this has stopped even
>> smaller zones using NSEC3. Perhaps the most comical is the TLD "xn--kprw13d"
>> which is signed using NSEC3 despite the fact that it has *no* names except
>> the apex, where there is a DNAME redirecting to "xn--kpry57d".
> Some people just like to make nameservers work harder than they need too.
>> Of the 20 TLDs newly signed this calendar year, just 3 have used NSEC
>> rather than NSEC3 ("co", "mm" and now "nz"). The overall statistics are
>> that 27 out of 84 signed TLDs use NSEC rather than NSEC3, although this
>> count is biased by the 11 IANA test zones (which use NSEC).
> NSEC3 is pointless in lots of zone.  It is pointless in IP6.ARPA leaf zones
> and any other zones with a regular structure like IP6.ARPA.  You
> can walk them using plain DNS.

Opt-Out also helps folks to chose NSEC3 over NSEC. 


More information about the Dnssec-deployment mailing list