On 1/18/21 11:41 PM, Viktor Dukhovni wrote:
For the salt to makes sense, and warrant rotation, one would have to operate a zone with enough records that some are hard to predict, sensitive and yet published (and not visible in transparency logs, PTR records, ...). This is very much a corner case.
Perhaps, but this and some other arguments seem to be even against attempts to hide zone contents. I didn't mean to consider those in my post, as you had covered them nicely by the NSEC and opt-out bullets. My personal opinion is that most TLDs would better use NSEC instead of NSEC3, though it's possible that I just don't know their motivation for the policy.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
