In my past four previous talks about DNSSEC in Hong Kong, I told audiences about weakness of NSEC in zone walking and NSEC3 can prevent this by providing hashed names to give signed proof of non-exsitence records. However, I have not touched on NSEC3+OptOut which aims at TLD. Here it is.
With “NSEC3 Opt-Out”, only child zones that are themselves DNSSEC signed and having DS suibmitted to TLD will be signed by the TLD operator. An example is that if a TLD operator has 500,000 names in its zone of which 1% of all child zones have DS already submitted, under the opt-out scheme, the final TLD zone will contain about 5,000 signed DS (instead of 500,000 signed DS records, of which 495,000 do not require NSEC3 hashed names). Opt-Out will reduce zone file size while serving DNSSEC optimally at TLD.
If all child zones in a TLD have DS submitted, the effect of Opt-out will be nullified.