Hi list,
We plan a DNSSEC signing change for the ch. and li. zone files.
Introduction: Both NSEC and NSEC3 are mechanisms that provide signed DNS records as proof of non-existence for a given name or associated Resource Record Type in a DNSSEC signed zone. While they serve the same primary purpose, NSEC3 offers added features, such as not directly disclosing bounding domain name pairs and providing "opt-out support." This latter feature allows large registries to cover blocks of unsigned delegations with a single NSEC3 record, thereby only signing as many NSEC3 records as there are signed DS or other RRsets in the zone.
Recent trends and developments: Since 2021, there's been a notable increase in the percentage of domain names with DNSSEC for .ch, jumping from 6% to 49% [1]. Additionally, the TLD zone files for both .ch and .li have been made publicly accessible for download in recent years [2]. These developments have rendered the argument for using NSEC3 with opt-out less compelling.
Our action plan: SWITCH is set to transition from NSEC3 (utilizing opt-out) to NSEC for both the .ch and .li TLD zones. Given the high percentage of domain names already employing DNSSEC, this shift will result in only a modest increase in the size of the zone files. Importantly, transitioning to NSEC offers several benefits [3]:
* Enhanced performance and reduced latency * Decreased resource utilization on both authoritative and recursive servers * Potential bolstering of resilience against specific types of DoS attacks
Scheduled transition dates: .li: 10th November 2023, 8 am CET .ch: 10th November 2023, 10 am CET
Impact assessment: We expect no operational impacts for end users. However, we value feedback and observations. If you have concerns or notice any anomalies related to this transition, please don't hesitate to contact us.
[1] https://www.nic.ch/statistics/dnssec/ [2] https://zonedata.switch.ch/ [3] https://datatracker.ietf.org/doc/html/rfc8198