[Dnssec-deployment] DNSSEC for .nz, status update
marka at isc.org
Thu Nov 24 16:58:17 EST 2011
In message <0346FCC8-0F9A-42CE-BE83-73BCD2774A74 at dnss.ec>, Roy Arends writes:
> On Nov 21, 2011, at 10:54 PM, Mark Andrews wrote:
> > In message <Prayer.18.104.22.1681212022350.4072 at hermes-2.csi.cam.ac.uk>, =
> Chris Thom
> > pson writes:
> >> On Nov 21 2011, Steve Crocker wrote, in connection with "nz" being =
> >>> Congratulations!
> >> Yes indeed. It's good to know that DNSSEC has reached even the =
> >> part of the globe .... (just from our point of view, of course)
> >> I noticed that "nz" is using NSEC rather than NSEC3. With only 17 =
> >> names (the apex, one SRV, one DNAME, and 14 delegations) there cannot =
> >> much incentive to keep the set secret. Not that this has stopped even
> >> smaller zones using NSEC3. Perhaps the most comical is the TLD =
> >> which is signed using NSEC3 despite the fact that it has *no* names =
> >> the apex, where there is a DNAME redirecting to "xn--kpry57d".
> > Some people just like to make nameservers work harder than they need =
> >> Of the 20 TLDs newly signed this calendar year, just 3 have used NSEC
> >> rather than NSEC3 ("co", "mm" and now "nz"). The overall statistics =
> >> that 27 out of 84 signed TLDs use NSEC rather than NSEC3, although =
> >> count is biased by the 11 IANA test zones (which use NSEC).
> > NSEC3 is pointless in lots of zone. It is pointless in IP6.ARPA leaf =
> > and any other zones with a regular structure like IP6.ARPA. You
> > can walk them using plain DNS.
> Opt-Out also helps folks to chose NSEC3 over NSEC.=20
Opt-Out is useless in leaf zones. There are very few zones, overall,
for which Opt-Out provides any benefit.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment