NSEC3 support for BIND
Mark Andrews
Mark_Andrews at isc.org
Fri Nov 9 20:26:56 UTC 2007
> >
> > Why do you believe enumuration is a problem for you?
> >
> > Do you have a current zone for which you usage of that zone depends
> > on the lack of enumeration?
> >
> > Remember NSEC3 is much more expensive for the validator than NSEC.
> > Its use should be reserved for places where the lack of enumeration
> > is critical. NSEC3 should not be used just because it would be
> > "nice".
> >
> > For the vast majority of zones being able to enumerate them is of
> > little or no consequence.
> >
> > In 15 years I've yet to have a zone when stopping enumeration was
> > critical to the use of that zone. I've had zones where it was a
> > nice thing to do but given the choice between publishing and
> > enunmeration, publishing would will out everytime.
> >
> Oh, I think this is a matter of an ISP's security policy.
ISP's and companies do lots of silly things due to security
policies.
e.g. block all ICMP, block DNS/TCP, block all UDP from
a given port(s) regardless of the destination port, allow
traffic out but don't allow the reply traffic back in.
Most people write security policies don't know enough to
do the job correctly. Lots of so called "experts" get
it wrong.
Turn on NSEC3 will be a easy box to check but in most cases
it will be enabled when it isn't required.
> But I don't
> want to discuss if revealing zone contents is good or bad, because it's
> beyond this topic. I understand that you are encouraging me to keep with
> already proven solutions, but I didn't want to build a production
> environment on top of NSEC3. I just wanted to test the impact on a
> server performance.
>
> Anyway, thank you for your answer.
> Best regards.
> Pawel Tobis
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list