My friend Frederico Neves of the .BR ccTLD registry just reported that they are now moving forward with NSEC3 (a DNSSEC extension) in .BR top level domain. This is excellent news, and my hat is off for all the hard work Fred and his colleagues have done the last couple of years.
Since 1200 GMT today .com.br is signed using NSEC3. This is a 1.4M delegations zone and it's using opt-out with a 100 names gap. As expected the zone size increase is minimal and the average response size doubled because of the large (~60%) DO bit presence. This ends our initial DNSSEC deployment effort. Now all .br delegations have DNSSEC available. 61 zones using NSEC and 2 using NSEC3. The sec3.br testbed will be phased-out in 90 days, Regards, Fred % dig @a.dns.br com.br ds +dnssec +multi +short 19740 7 1 A8BDED281324F283E9933BF048C8230A4B32B2A6 DS 5 2 86400 20090122120001 20090115120001 33498 br. BIsqRqjTADBDI/uhpZrGvoesrHAnRbbliqqBb/BmQqk39cXfppv4xx0F BP3im2LjNkMgXBFlXr0ELpnG0xIJEE670BMMHG9h5Xh5rnUIBZLEV8UN SjvuWA/m/WIiNxTHjO5pglhZpapScCwOQCsRjTg/xN3POhl3qUAe4okg Jta/333mbNGv5eH95GozvCCd % dig @a.dns.br port53.com.br ds +dnssec +multi +short 28004 5 1 0307C113CFEB7CB04C25E759C942AA4D32887AA6 DS 7 3 86400 20090122123002 20090115123002 19740 com.br. bl8bvZW36lMm4Fp3agcO9xDpmZtTB8i0czXCTAL3B8PMYE0XzwClUZEc YYP972EHzp10FBFXYK5hilOJl935LZUFz8e0tceCMqIKz1J7Q2lFCq9e 6BKTTRoxcAjtgOeZEH8td9gicPJDKHJ7AHvEcy/tto0drqd9Ue5kATsJ K00=