nsec and nsec3 records

Mark Andrews marka at isc.org
Mon Jun 15 02:22:44 UTC 2009

In message <e754e90906130925m6d9f723eh71090a331a4270c0 at mail.gmail.com>, R Dicai
re writes:
> Hi folks,
> Can both nsec and nsec3 records be used simultaneously in a zone file,
> or is it an either/or?

	NSEC and NSEC3 chains are expected to exist in a zone during
	a incremental transition between the two ways of negatively
	signing a zone.  If there is a complete NSEC3 chain (indicated
	by a NSEC3PARAM record at the zone apex) servers are supposed
	to return NSEC3 proofs.

	NSEC3 is more expensive that NSEC is and really should not
	be used unless you need the features NSEC3 provide.  There
	are additional cost on both the authoritative servers and
	on the validating servers when you use NSEC3.

	TLD's can make use of OPTOUT which is why you see ORG and
	GOV using NSEC3.  End user zones generally can't make use

	Unless you really need to hide the presence of names in a
	zone then you shouldn't use NSEC3.

	Note:  NSEC3 is a waste of time for IN-ADDR.ARPA, IP6.ARPA
	and RBL type zones which use IP addresses as they are highly
	structured and you can enumnerate the contents without
	walking the NSEC chain.

> Thanks
> -- 
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list