Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

Daniel Suchy danny at
Sun May 8 19:28:29 UTC 2022

On 5/8/22 19:48, Warren Kumari wrote:
>>     If zone enumeration was not a real concern, NSEC3 would not exist.
> Ackchyually, that's only partly true — a significant amount of the 
> driver (some would say hte large majority) behind NSEC3 was that it  
> supports "opt-out". This was important in very large, delegation-centric 
> zones (e.g like .com), where the vast majority of delegations were 
> initially not signed. This allows just signing the signed delegation and 
> the holes between them, and not all of the unsigned delegations.

But, with op-out, there're some security concerns around... so TL;DR 
generally you should avoid-it.

More information about the NANOG mailing list