On Apr 9, 2013, at 3:37 PM, Klaus Darilion wrote:
>> "NSEC3 in 'narrow' mode uses additional hashing calculations to provide
>> hashed secure denial of existence 'on the fly', without further involving
>> the database."
>
> Ah, I missed section 4.1.
It is only one line, so easy enough to miss.
> o not see any NSEC3 specific configuration. So which mode is used then? We
> use PDNS as secondary, thus the database is filled by PowerDNS on zone
> transfers. I see that the records.ordername column is filled with hashes,
> thus I guess it is using either 'broad' or 'inclusive' mode. How do I know
> which one is used, and does it actually matter which mode is used (what is
> the difference betwenn 'broad' and 'inclusive')?
If you run a secondary over AXFR, your zone will be pre-signed (if the actual
signing happens on the master). In that case the secondary does not have the
keys and can't do 'narrow' mode.
pdnssec show-zone will give you all the details.
The difference is mostly one of performance, although this is not black or
white - some people have reported narrow to be faster, although it should be
somewhat slower in many cases. All in all it does not matter that much.
Bert
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
