NSEC3 support for BIND
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sat Nov 10 15:24:50 UTC 2007
On Fri, Nov 09, 2007 at 08:16:43AM +0100,
Måns Nilsson <mansaxel at kthnoc.net> wrote
a message of 23 lines which said:
> Zone enumeration is normally not a problem. If you experience
> performance issues from zone walkers (not likely) set up a sacrifice
> server (whose name/address is not in the relevant NS RRSET), which
> allows the world AXFR, or, more manual work, set up a ftp server
> where registered users can get the zone OOB. Problem solved.
*Technical* problem solved. But zone enumeration may be a problem, but
not a technical one (for instance, a policy one; I say "policy" and
not "security" because, as Mark reminded, "security" is way too
overloaded).
My problem is rather to keep policies in synch. If a domain allows
AXFR, it makes sense to allow enumeration through NSEC. If it does not
allow AXFR, it is foolish to deploy NSEC, because it would contradict
the policy.
More information about the bind-users
mailing list