Magic for NSEC3

Jim k0jkj at arrl.net
Mon Jan 5 17:57:23 UTC 2009 

On Jan 3, 6:28 pm, Jonathan Petersson <jpeters... at garnser.se> wrote:
> Thanks for your input
>
> /Jonathan
>
> On Jan 3, 2009, at 16:13, Mark Andrews <Mark_Andr... at isc.org> wrote:
>
>
>
>
>
> > In message
> > <fa2e1350901031122w75768929h3b17e0a47b806... at mail.gmail.com>,
> > "Jonathan Petersson"
> > writes:
> >> Hi all,
>
> >> Hopefully this post wont cause as much SPAM as my last one. About a
> >> year ago I started looking into DNSSEC and how to work with it for
> >> dynamic updates etc. Since only NSEC was supported, allowing whomever
> >> to do a unauthorized zone-transfer I canceled my projects later
> >> finding out that NSEC3 would stop the behavior.
>
> >    One really needs to look at the cost benefit analysis to
> >    decide whether to use NSEC or NSEC3.  NSEC3 is much more
> >    expensive than NSEC3 for both authoritative servers and
> >    validators than NSEC.  There are almost no zone that need
> >    that level of protection.
>
> >    Stopping AXFR/IXFR has almost zero cost so for many people
> >    it has become reflex without any need to justify it.  Stopping
> >    zone enumeration has a relatively high cost.
>
> >    Note for many servers stopping AXFR/IXFR was not about the
> >    zone content and more about preserving file descriptors for
> >    use by the slaves and legitimate TCP clients rather than the
> >    curious.
>
> >> With the release of BIND 9.6 my understanding is that NSEC3 is now
> >> supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty
> >> clueless as whether there's any magic sauce to get NSEC3 records vs.
> >> NSEC.
>
> >> If anyone has a pointer that would be of help, I've tried using
> >> NSEC3RSASHA1 keys without success of getting NSEC3 records.
>
> >    NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when
> >    signing the zone.  You need to tell dnssec-signzone which
> >    one to use.
>
> >    dnssec-signzone -3 salt [-H iterations] [-A] ....
>
> >> Thx
>
> >> /Jonathan
> >> _______________________________________________
> >> bind-users mailing list
> >> bind-us... at lists.isc.org
> >>https://lists.isc.org/mailman/listinfo/bind-users
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andr... at isc.org
>
> _______________________________________________
> bind-users mailing list
> bind-us... at lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users

While testing our DNSSEC signing product, I found that the expense of
signing with NSEC3 versus NSEC was very data dependent. In TLD type
zones with a sparse number of records that needed to be signed,
signing time could be reduced from hours to minutes by specifying
NSEC3. The resultant data files were much smaller than  those signed
with NSEC. On the other hand zones that predominately needed to be
signed by NSEC3 are as expensive or even more expensive that NSEC
signing.

The other advantage of NSEC3 is “increased” privacy over NSEC by
preventing zone walking.

As results are data dependent you should evaluate both signing types
and use the one that meets your needs for both speed of signing and
data size as well a privacy.

Jim Jackson
Senior Test Engineer
Secure64 Software Corp.

More information about the bind-users mailing list