DNSSEC/Opt-Outについて、ここに記述してください。
NANG51 tutorial より
1. Opt-Out
- Standard DNSSEC:
- Every name in a zone has an NSEC
- Including delegations (NS records)
- Opt-Out DNSSEC:
- Only secure delegations have an NSEC
- I.e., delegations to zones that are themselves signed
- Only secure delegations have an NSEC
Better for large zones like .com
Many names, but few secure delegations Shorter NSEC3 chain Fewer signatures Smaller signed zone