NSEC3 support for BIND
Mark Andrews
Mark_Andrews at isc.org
Fri Nov 9 10:36:50 UTC 2007
>
> >> Thus I'd like to ask if anybody is aware of an existing implementation
> >> of this standard in BIND (can be a patch or a package)?
> >> And are there plans to include an NSEC3 support into official BIND
> >> release in the near future?
> >>
> >
> > NSEC3 is *NOT* a standard. It is still a internet-draft.
> > The relevent draft is in ietf last call.
> >
> I didn't mean NSEC3 to be an official standard (yet), but a protocol
> that evolved to quite coherent form. Maybe I should use another word.
> >
> > B.T.W. what are your reasons for requiring NSEC3 over NSEC?
> >
> The reason is that NSEC3 is told to solve the zone enumeration problems.
Why do you believe enumuration is a problem for you?
Do you have a current zone for which you usage of that zone depends
on the lack of enumeration?
Remember NSEC3 is much more expensive for the validator than NSEC.
Its use should be reserved for places where the lack of enumeration
is critical. NSEC3 should not be used just because it would be
"nice".
For the vast majority of zones being able to enumerate them is of
little or no consequence.
In 15 years I've yet to have a zone when stopping enumeration was
critical to the use of that zone. I've had zones where it was a
nice thing to do but given the choice between publishing and
enunmeration, publishing would will out everytime.
> I'd like to estimate the costs of this improvement in the context of
> performance.
> I'm expecting this functionality in BIND since I have read the
> presentation of Mr. Joao Damas entitled "Evolucao recente do BIND", in
> which he mentioned that implementation of NSEC3 will be in version 9.5.
>
> Pawel Tobis
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list