Re: Magic for NSEC3
On Mon, Jan 5, 2009 at 5:57 PM, Jim k0...@arrl.net wrote: While testing our DNSSEC signing product, I found that the expense of signing with NSEC3 versus NSEC was very data dependent. In TLD type zones with a sparse number of records that needed to be signed, signing time could be reduced from hours to minutes by specifying NSEC3. The resultant data files were much smaller than those signed with NSEC. This is presumably a result of OPT-IN and as more child zones are signed the effect will be less marked. Brett ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Magic for NSEC3
In message fa2e1350901031122w75768929h3b17e0a47b806...@mail.gmail.com, Jonathan Petersson writes: Hi all, Hopefully this post wont cause as much SPAM as my last one. About a year ago I started looking into DNSSEC and how to work with it for dynamic updates etc. Since only NSEC was supported, allowing whomever to do a unauthorized zone-transfer I canceled my projects later finding out that NSEC3 would stop the behavior. One really needs to look at the cost benefit analysis to decide whether to use NSEC or NSEC3. NSEC3 is much more expensive than NSEC3 for both authoritative servers and validators than NSEC. There are almost no zone that need that level of protection. Stopping AXFR/IXFR has almost zero cost so for many people it has become reflex without any need to justify it. Stopping zone enumeration has a relatively high cost. Note for many servers stopping AXFR/IXFR was not about the zone content and more about preserving file descriptors for use by the slaves and legitimate TCP clients rather than the curious. With the release of BIND 9.6 my understanding is that NSEC3 is now supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty clueless as whether there's any magic sauce to get NSEC3 records vs. NSEC. If anyone has a pointer that would be of help, I've tried using NSEC3RSASHA1 keys without success of getting NSEC3 records. NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when signing the zone. You need to tell dnssec-signzone which one to use. dnssec-signzone -3 salt [-H iterations] [-A] Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Magic for NSEC3
Thanks for your input /Jonathan On Jan 3, 2009, at 16:13, Mark Andrews mark_andr...@isc.org wrote: In message fa2e1350901031122w75768929h3b17e0a47b806...@mail.gmail.com, Jonathan Petersson writes: Hi all, Hopefully this post wont cause as much SPAM as my last one. About a year ago I started looking into DNSSEC and how to work with it for dynamic updates etc. Since only NSEC was supported, allowing whomever to do a unauthorized zone-transfer I canceled my projects later finding out that NSEC3 would stop the behavior. One really needs to look at the cost benefit analysis to decide whether to use NSEC or NSEC3. NSEC3 is much more expensive than NSEC3 for both authoritative servers and validators than NSEC. There are almost no zone that need that level of protection. Stopping AXFR/IXFR has almost zero cost so for many people it has become reflex without any need to justify it. Stopping zone enumeration has a relatively high cost. Note for many servers stopping AXFR/IXFR was not about the zone content and more about preserving file descriptors for use by the slaves and legitimate TCP clients rather than the curious. With the release of BIND 9.6 my understanding is that NSEC3 is now supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty clueless as whether there's any magic sauce to get NSEC3 records vs. NSEC. If anyone has a pointer that would be of help, I've tried using NSEC3RSASHA1 keys without success of getting NSEC3 records. NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when signing the zone. You need to tell dnssec-signzone which one to use. dnssec-signzone -3 salt [-H iterations] [-A] Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users