NSEC3 support for BIND
Paweł Tobiś
ptobis at interia.pl
Fri Nov 9 12:08:34 UTC 2007
>
> Why do you believe enumuration is a problem for you?
>
> Do you have a current zone for which you usage of that zone depends
> on the lack of enumeration?
>
> Remember NSEC3 is much more expensive for the validator than NSEC.
> Its use should be reserved for places where the lack of enumeration
> is critical. NSEC3 should not be used just because it would be
> "nice".
>
> For the vast majority of zones being able to enumerate them is of
> little or no consequence.
>
> In 15 years I've yet to have a zone when stopping enumeration was
> critical to the use of that zone. I've had zones where it was a
> nice thing to do but given the choice between publishing and
> enunmeration, publishing would will out everytime.
>
Oh, I think this is a matter of an ISP's security policy. But I don't
want to discuss if revealing zone contents is good or bad, because it's
beyond this topic. I understand that you are encouraging me to keep with
already proven solutions, but I didn't want to build a production
environment on top of NSEC3. I just wanted to test the impact on a
server performance.
Anyway, thank you for your answer.
Best regards.
Pawel Tobis
More information about the bind-users
mailing list