About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

DNSSEC moves forward in Brazil

My friend Frederico Neves of the .BR ccTLD registry just reported that they are now moving forward with NSEC3 (a DNSSEC extension) in .BR top level domain. This is excellent news, and my hat is off for all the hard work Fred and his colleagues have done the last couple of years.

Since 1200 GMT today .com.br is signed using NSEC3. This is a 1.4M
delegations zone and it's using opt-out with a 100 names gap.

As expected the zone size increase is minimal and the average response
size doubled because of the large (~60%) DO bit presence.

This ends our initial DNSSEC deployment effort. Now all .br
delegations have DNSSEC available. 61 zones using NSEC and 2 using

The sec3.br testbed will be phased-out in 90 days,


% dig @a.dns.br com.br ds +dnssec +multi +short
19740 7 1 A8BDED281324F283E9933BF048C8230A4B32B2A6
DS 5 2 86400 20090122120001 20090115120001 33498
	br. BIsqRqjTADBDI/uhpZrGvoesrHAnRbbliqqBb/BmQqk39cXfppv4xx0F

% dig @a.dns.br port53.com.br ds +dnssec +multi +short
28004 5 1 0307C113CFEB7CB04C25E759C942AA4D32887AA6
DS 7 3 86400 20090122123002 20090115123002 19740
	com.br. bl8bvZW36lMm4Fp3agcO9xDpmZtTB8i0czXCTAL3B8PMYE0XzwClUZEc
	6BKTTRoxcAjtgOeZEH8td9gicPJDKHJ7AHvEcy/tto0drqd9Ue5kATsJ K00=

Comments are closed.