On Fri, Sep 03, 2021 at 09:48:56AM +0200, Vladimír Čunát wrote: > On 03/09/2021 09.32, Paul Wouters wrote: > > I guess with aggressive nsec, you might even gain some CPU cycles back > > for that extra memory used, and receive less queries too? Saving you > > some money? > > I think these savings won't be significant in delegation-centric zones > that are huge enough to consider opt-out. (But from TLDs I'd perhaps > only consider .com to be huge enough.)
This is my take as well, essentially only .COM (>150M delegations) is so large that presently there's still a compelling case for opt-out. The next batch of large TLDs (.DE, .NET, .ORG, ..., with >10M delegations) are ~10x smaller, and at these scales already the benefit of opt-out is much lower. Indeed prior to COVID-19, IIRC .ORG was slated to switch to NSEC, but that got postponed. Even .COM may before long reach a signed delegation rate where opt-out starts to become less compelling (presently just 2.63%, but already much higher recent levels): https://stats.dnssec-tools.org/tld-graphs/com.png The .CH TLD has recently introduced DNSSEC incentives, and the signed delegations are rising dramatically, soon to a level where opt-out will make little difference: https://stats.dnssec-tools.org/tld-graphs/ch.png The .SK TLD has recently issued a press release about reaching 50% signed delegations in record time: https://sk-nic.sk/we-are-one-of-the-best-in-dnssec-domain-security/ Joining the ranks of the .NO, .CZ, .NL and .SE ccTLDs, which all have more than 50% of their delegations signed. (The .bank and .insurance TLDs which have a 100% signing mandate are at least two orders of magnitude smaller). -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop