Hi Bert!
On 09.04.2013 12:00, bert hubert wrote:
On Tue, Apr 09, 2013 at 11:28:28AM +0200, Klaus Darilion wrote:
It seems the term "narrow" is not a general NSEC3 term, but a PDNS
term. Unfortunately I could not find a description what "narrow" vs.
"non-narrow" means. Maybe someone can describe this or extend the
docs (and if "narrow" is related to "opt-out" or not).
Hi Klaus,
Good catch. To answer the question what is NSEC3 narrow mode, the best we
offer right now is in paragraph 4.1 of the documentation,
http://doc.powerdns.com/html/powerdnssec.html :
"NSEC3 in 'narrow' mode uses additional hashing calculations to provide
hashed secure denial of existence 'on the fly', without further involving
the database."
Ah, I missed section 4.1.
So, whereas we normally trawl the database to find the two hashes that form
an NSEC3 range, in narrow mode we emit a '1 byte wide' range that covers the
query.
Perhaps look at this as RFC 4470 for RFC 5155. It has some precedent in Dan
Kaminsky's Phreebird http://dankaminsky.com/phreebird/
In our setup (built by somebody else) I do not see any NSEC3 specific
configuration. So which mode is used then? We use PDNS as secondary,
thus the database is filled by PowerDNS on zone transfers. I see that
the records.ordername column is filled with hashes, thus I guess it is
using either 'broad' or 'inclusive' mode. How do I know which one is
used, and does it actually matter which mode is used (what is the
difference betwenn 'broad' and 'inclusive')?
Thanks
Klaus
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
