On Nov 8, 2021, at 5:45 AM, Wes Hardaker <wjh...@hardakers.net> wrote: > > Folks, can we boil this down to a concrete suggestion. Section 3.1 > already says this: > > First, if the operational or security features of NSEC3 are not > needed, then NSEC SHOULD be used in preference to NSEC3. NSEC3 > requires greater computational power for both authoritative servers > and validating clients. Specifically, there is a non trivial > complexity in finding matching NSEC3 records to randomly generated > prefixes within a DNS zone. NSEC mitigates this concern, and if > NSEC3 must be used then selecting a low iterations count will help > alleviate this computational burden. Note that deploying NSEC with > minimally covering NSEC records [RFC4470] also incures a cost, and > zone owners should measure the computational difference in deploying > both RFC4470 or NSEC3. > > Which is fairly strong (SHOULD [use NSEC]) with reasoning behind the > statement already. How do you think we should specifically change that > text?
Instead of "low iterations count", maybe "low iterations count (preferably 0)"? --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
