DNSSEC moves forward in Brazil

My friend Frederico Neves of the .BR ccTLD registry just reported that they are now moving forward with NSEC3 (a DNSSEC extension) in .BR top level domain. This is excellent news, and my hat is off for all the hard work Fred and his colleagues have done the last couple of years.


Since 1200 GMT today .com.br is signed using NSEC3. This is a 1.4M
delegations zone and it's using opt-out with a 100 names gap.

As expected the zone size increase is minimal and the average response
size doubled because of the large (~60%) DO bit presence.

This ends our initial DNSSEC deployment effort. Now all .br
delegations have DNSSEC available. 61 zones using NSEC and 2 using
NSEC3.

The sec3.br testbed will be phased-out in 90 days,

Regards,
Fred

% dig @a.dns.br com.br ds +dnssec +multi +short
19740 7 1 A8BDED281324F283E9933BF048C8230A4B32B2A6
DS 5 2 86400 20090122120001 20090115120001 33498
	br. BIsqRqjTADBDI/uhpZrGvoesrHAnRbbliqqBb/BmQqk39cXfppv4xx0F
	BP3im2LjNkMgXBFlXr0ELpnG0xIJEE670BMMHG9h5Xh5rnUIBZLEV8UN
	SjvuWA/m/WIiNxTHjO5pglhZpapScCwOQCsRjTg/xN3POhl3qUAe4okg
	Jta/333mbNGv5eH95GozvCCd

% dig @a.dns.br port53.com.br ds +dnssec +multi +short
28004 5 1 0307C113CFEB7CB04C25E759C942AA4D32887AA6
DS 7 3 86400 20090122123002 20090115123002 19740
	com.br. bl8bvZW36lMm4Fp3agcO9xDpmZtTB8i0czXCTAL3B8PMYE0XzwClUZEc
	YYP972EHzp10FBFXYK5hilOJl935LZUFz8e0tceCMqIKz1J7Q2lFCq9e
	6BKTTRoxcAjtgOeZEH8td9gicPJDKHJ7AHvEcy/tto0drqd9Ue5kATsJ K00=