Magic for NSEC3
B C
brettlists at gmail.com
Wed Jan 7 09:57:10 UTC 2009
On Mon, Jan 5, 2009 at 5:57 PM, Jim <k0jkj at arrl.net> wrote:
> While testing our DNSSEC signing product, I found that the expense of
> signing with NSEC3 versus NSEC was very data dependent. In TLD type
> zones with a sparse number of records that needed to be signed,
> signing time could be reduced from hours to minutes by specifying
> NSEC3. The resultant data files were much smaller than those signed
> with NSEC.
This is presumably a result of OPT-IN and as more child zones are
signed the effect will be less marked.
Brett
More information about the bind-users
mailing list