On Fri, Sep 03, 2021 at 09:48:56AM +0200, Vladimír Čunát wrote:
> On 03/09/2021 09.32, Paul Wouters wrote:
> > I guess with aggressive nsec, you might even gain some CPU cycles back
> > for that extra memory used, and receive less queries too? Saving you
> > some money?
>
> I think these savings won't be significant in delegation-centric zones
> that are huge enough to consider opt-out. (But from TLDs I'd perhaps
> only consider .com to be huge enough.)
This is my take as well, essentially only .COM (>150M delegations) is so
large that presently there's still a compelling case for opt-out.
The next batch of large TLDs (.DE, .NET, .ORG, ..., with >10M
delegations) are ~10x smaller, and at these scales already the benefit
of opt-out is much lower. Indeed prior to COVID-19, IIRC .ORG was
slated to switch to NSEC, but that got postponed.
Even .COM may before long reach a signed delegation rate where opt-out
starts to become less compelling (presently just 2.63%, but already
much higher recent levels):
https://stats.dnssec-tools.org/tld-graphs/com.png
The .CH TLD has recently introduced DNSSEC incentives, and the signed
delegations are rising dramatically, soon to a level where opt-out will
make little difference:
https://stats.dnssec-tools.org/tld-graphs/ch.png
The .SK TLD has recently issued a press release about reaching 50%
signed delegations in record time:
https://sk-nic.sk/we-are-one-of-the-best-in-dnssec-domain-security/
Joining the ranks of the .NO, .CZ, .NL and .SE ccTLDs, which all have
more than 50% of their delegations signed. (The .bank and .insurance
TLDs which have a 100% signing mandate are at least two orders of
magnitude smaller).
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
