BCP 236

RFC 9276

Guidance for NSEC3 Parameter Settings, August 2022

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML icon for inline errata
Status:
BEST CURRENT PRACTICE
Updates:
RFC 5155
Authors:
W. Hardaker
V. Dukhovni
Stream:
IETF
Source:
dnsop (ops)

Cite this BCP: TXT

Discuss this RFC: Send questions or comments to the mailing list iesg@ietf.org

Other actions: View Errata  |  Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC


Abstract

NSEC3 is a DNSSEC mechanism providing proof of nonexistence by asserting that there are no names that exist between two domain names within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly disclosing the bounding domain name pairs. This document provides guidance on setting NSEC3 parameters based on recent operational deployment experience. This document updates RFC 5155 with guidance about selecting NSEC3 iteration and salt parameters.


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.




Advanced Search