On 4/28/16, 18:05, "DNSOP on behalf of Matthew Pounsett" <[email protected] on behalf of [email protected]> wrote:
> On 28 April 2016 at 06:37, Edward Lewis <[email protected]> wrote: >> >> Not sure if that answers the question fully. Hope it helps. > > It helps, for sure. So if I understand you correctly, at the TLD level it's > 4:1 in favour of NSEC3, and all of those are opt-out. > I imagine that will change as the number of DS records rise, but it gives us > an idea of the scale of the issue. I do know of one operator whose told me that the are considering swapping NSEC for NSEC3 as the zone size is putting pressure on the infrastructure. I see other trends that say operator behavior is unpredictable. Operators are still debuting zones with RSA-SHA1, for instance, despite educational efforts to go to something newer. So, while there's a little bit of pent up energy to go from NSEC3 to NSEC, there's no telling whether future debuts will feature one or the other. > So back to Shane's question which I was responding to ... > We can't say that most zones are NSEC or NSEC3, but we can say there are an > awful lot of TLDs that are NSEC3 opt-out. Yep - the question is, if we don't know, can we just go forward with the uncertainty? > If someone can get me a relatively current, and relatively complete, set of > TLD zones, I could volunteer to check the next level down. I don't think I > have time to go through the process of signing and faxing all those zone file > access agreements though. If I had time, I've done studies along the lines you are thinking of. Last year I studied the selections of DNSSEC security algorithms and lengths but didn't include NSEC in the work then. Between the time I did the work and got around to talking about it (at CENTR Jamboree 2015) a higher priority work item overcame events. The data I have access to is pretty much not-the-ccTLDs. File this under best laid plans...I do need to fix my set up last year after changing hardware.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
