On 09.04.2013 21:49, bert hubert wrote:
On Apr 9, 2013, at 3:37 PM, Klaus Darilion wrote:
"NSEC3 in 'narrow' mode uses additional hashing calculations to
provide hashed secure denial of existence 'on the fly', without
further involving the database."
Ah, I missed section 4.1.
It is only one line, so easy enough to miss.
o not see any NSEC3 specific configuration. So which mode is used
then? We use PDNS as secondary, thus the database is filled by
PowerDNS on zone transfers. I see that the records.ordername column
is filled with hashes, thus I guess it is using either 'broad' or
'inclusive' mode. How do I know which one is used, and does it
actually matter which mode is used (what is the difference betwenn
'broad' and 'inclusive')?
If you run a secondary over AXFR, your zone will be pre-signed (if
the actual signing happens on the master). In that case the secondary
does not have the keys and can't do 'narrow' mode.
pdnssec show-zone will give you all the details.
The difference is mostly one of performance, although this is not
black or white - some people have reported narrow to be faster,
although it should be somewhat slower in many cases. All in all it
does not matter that much.
# pdnssec show-zone example.at
Zone has hashed NSEC3 semantics, configuration: 1 1 10 beef
Zone is presigned
No keys for zone 'example.at'.
So, as expected it is not in "narrow" mode. But which mode is it?
'broad' or 'inclusive' mode? And what is the difference between 'broad'
and 'inclusive' mode?
I think it would be nice to add the terms "narrow/broad/inclusive" also
to the output.
Thanks
Klaus
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
