Miek Gieben <m...@miek.nl> writes: > [ Quoting <o...@ogud.com> in "Re: [DNSOP] nsec3-parameters opinio..." ] > >The document should strongly discourage any use of NSEC3 <full stop> > > I would very much see a sentence/paragraph stating this in the > document as well.
Folks, can we boil this down to a concrete suggestion. Section 3.1 already says this: First, if the operational or security features of NSEC3 are not needed, then NSEC SHOULD be used in preference to NSEC3. NSEC3 requires greater computational power for both authoritative servers and validating clients. Specifically, there is a non trivial complexity in finding matching NSEC3 records to randomly generated prefixes within a DNS zone. NSEC mitigates this concern, and if NSEC3 must be used then selecting a low iterations count will help alleviate this computational burden. Note that deploying NSEC with minimally covering NSEC records [RFC4470] also incures a cost, and zone owners should measure the computational difference in deploying both RFC4470 or NSEC3. Which is fairly strong (SHOULD [use NSEC]) with reasoning behind the statement already. How do you think we should specifically change that text? -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
