On 24. 05. 22 18:21, Wes Hardaker wrote:
** Section 2.2.
In general, NSEC3 with the Opt-Out flag enabled
should only be used in large, highly dynamic zones with a small
percentage of signed delegations. Operationally, this allows for
fewer signature creations when new delegations are inserted into a
zone. This is typically only necessary for extremely large
registration points providing zone updates faster than real-time
signing allows or when using memory-constrained hardware
Qualitative scales such as “large … dynamic zones” and “extremely large
registration points” used. Can the operational experience informing these
statements be cited to suggest the scale?
That's both a fair point but hard to fix. In early versions of this
document, we used more strict wording in places (but not for this
case). But in the end we're trying to address a sliding problem, and
there is no perfect line to be drawn.
How about if we end the paragraph with this:
Operators considering the use of NSEC3 are advised to fully test
their zones deployment architectures and authoritative servers under
both regular operational loads to determine the tradeoffs using
NSEC3 instead of NSEC.
Sorry for being so late on this ...
I think we cannot really do better than "large" because definition of
"large" changes every year with new a new CPU model or software
optimization (e.g. better parallelization).
For that reason I believe Wes's proposal is a good one, albeit very generic.
--
Petr Špaček
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
