Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-29 Thread Edward Lewis
On 4/28/16, 18:05, "DNSOP on behalf of Matthew Pounsett" wrote: > On 28 April 2016 at 06:37, Edward Lewis wrote: >> >> Not sure if that answers the question fully. Hope it helps. > > It helps, for sure. So if I

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-28 Thread Matthew Pounsett
On 28 April 2016 at 06:37, Edward Lewis wrote: > > Not sure if that answers the question fully. Hope it helps. > It helps, for sure. So if I understand you correctly, at the TLD level it's 4:1 in favour of NSEC3, and all of those are opt-out. I imagine that will change

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-28 Thread Marc Groeneweg
Matthew (and Shane), >>>Also, I'm not sure that it is fair to say "most zones are not signed >>>with NSEC". I guess most *TLD* are signed with NSEC3 either for zone >>>size reasons or in a (misguided IMHO) attempt to keep the zone >>>contents secret. But is this true for domains that are not

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-28 Thread Shane Kerr
Matthew, At 2016-04-27 08:29:46 -0700 Matthew Pounsett wrote: > On 19 April 2016 at 08:13, Shane Kerr wrote: > > > Also, I'm not sure that it is fair to say "most zones are not signed > > with NSEC". I guess most *TLD* are signed with NSEC3

Re: [DNSOP] NXDOMAIN synthesis for NSEC3

2016-04-27 Thread fujiwara
> From: Shumon Huque > For just the TLDs, "most" is true; I have some data at: > > https://www.huque.com/app/dnsstat/category/tld/dnssec/ > > In short, 895 or 79.1% of the signed TLDs are using NSEC3 Many TLDs use NSEC3 with OPT-OUT. # JP uses NSEC3 with OUT-OUT.

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-27 Thread Shumon Huque
On Wed, Apr 27, 2016 at 11:29 AM, Matthew Pounsett wrote: > > > On 19 April 2016 at 08:13, Shane Kerr wrote: > >> Also, I'm not sure that it is fair to say "most zones are not signed >> with NSEC". I guess most *TLD* are signed with NSEC3 either

Re: [DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-27 Thread Matthew Pounsett
On 19 April 2016 at 08:13, Shane Kerr wrote: > Also, I'm not sure that it is fair to say "most zones are not signed > with NSEC". I guess most *TLD* are signed with NSEC3 either for zone > size reasons or in a (misguided IMHO) attempt to keep the zone contents >

[DNSOP] NXDOMAIN synthesis for NSEC3 (was call for adoption for draft-fujiwara-dnsop-nsec-aggressiveuse)

2016-04-19 Thread Shane Kerr
Stephane, At 2016-04-15 16:13:44 +0200 Stephane Bortzmeyer wrote: > On Sun, Apr 10, 2016 at 10:18:11AM -0400, > Tim Wicinski wrote > a message of 35 lines which said: > > > This starts a Call for Adoption for Aggressive use of NSEC/NSEC3 > >