In my past four previous talks about DNSSEC in Hong Kong, I told audiences about weakness of NSEC in zone walking and NSEC3 can prevent this by providing hashed names to give signed proof of non-exsitence records. However, I have not touched on NSEC3+OptOut which aims at TLD. Here it is. 

With “NSEC3 Opt-Out”, only child zones that are themselves DNSSEC signed and having DS suibmitted to TLD will be signed by the TLD operator. An example is that if  a TLD operator has 500,000 names in its zone of which 1% of all child zones have DS already submitted, under the opt-out scheme, the final TLD zone will contain about 5,000 signed DS  (instead of 500,000 signed DS records, of  which 495,000 do not require NSEC3 hashed names). Opt-Out will reduce zone file size while serving DNSSEC optimally at TLD. 

If all child zones in a TLD have DS submitted, the effect of Opt-out will be nullified.

No comments: