In message <fa2e1350901031122w75768929h3b17e0a47b806...@mail.gmail.com>, "Jonathan Petersson" writes: > Hi all, > > Hopefully this post wont cause as much SPAM as my last one. About a > year ago I started looking into DNSSEC and how to work with it for > dynamic updates etc. Since only NSEC was supported, allowing whomever > to do a unauthorized zone-transfer I canceled my projects later > finding out that NSEC3 would stop the behavior.
One really needs to look at the cost benefit analysis to decide whether to use NSEC or NSEC3. NSEC3 is much more expensive than NSEC3 for both authoritative servers and validators than NSEC. There are almost no zone that need that level of protection. Stopping AXFR/IXFR has almost zero cost so for many people it has become reflex without any need to justify it. Stopping zone enumeration has a relatively high cost. Note for many servers stopping AXFR/IXFR was not about the zone content and more about preserving file descriptors for use by the slaves and legitimate TCP clients rather than the curious. > With the release of BIND 9.6 my understanding is that NSEC3 is now > supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty > clueless as whether there's any magic sauce to get NSEC3 records vs. > NSEC. > > If anyone has a pointer that would be of help, I've tried using > NSEC3RSASHA1 keys without success of getting NSEC3 records. NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when signing the zone. You need to tell dnssec-signzone which one to use. dnssec-signzone -3 salt [-H iterations] [-A] .... > Thx > > /Jonathan > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users