{"draft":"draft-ietf-dnsop-nsec3-guidance-10","doc_id":"RFC9276","title":"Guidance for NSEC3 Parameter Settings","authors":["W. Hardaker","V. Dukhovni"],"format":["HTML","TEXT","PDF","XML"],"page_count":"10","pub_status":"BEST CURRENT PRACTICE","status":"BEST CURRENT PRACTICE","source":"Domain Name System Operations","abstract":"NSEC3 is a DNSSEC mechanism providing proof of nonexistence by\r\nasserting that there are no names that exist between two domain names\r\nwithin a zone.  Unlike its counterpart NSEC, NSEC3 avoids directly\r\ndisclosing the bounding domain name pairs.  This document provides\r\nguidance on setting NSEC3 parameters based on recent operational\r\ndeployment experience.  This document updates RFC 5155 with guidance\r\nabout selecting NSEC3 iteration and salt parameters.","pub_date":"August 2022","keywords":["DNSSEC","DNS","NSEC3","NSEC","Denial of Existence"],"obsoletes":[],"obsoleted_by":[],"updates":["RFC5155"],"updated_by":[],"see_also":["BCP0236"],"doi":"10.17487\/RFC9276","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc9276"}