On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote:
I also find it a bit strange that BIND decides to go for NSEC, even when the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).
AS I understand it, NSEC3 incurs overhead at validating resolvers. That being the case, it is unfriendly to use it unless you really need it, because you're increasing the load on everyone else.
It's unclear to me how many people have genuine concerns with zone walking that NSEC3 is an appropriate response to; putting sensitive names in a private subdomain or using split DNS would seems to be "safer" if you're concerned about tex hax0rs getting a list of all your machines (and don't forget to remove them all from reverse DNS, which takes minutes to walk given a target /16)
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
