Magic for NSEC3
Mark Andrews
Mark_Andrews at isc.org
Sun Jan 4 00:13:29 UTC 2009
In message <fa2e1350901031122w75768929h3b17e0a47b806b17 at mail.gmail.com>, "Jonathan Petersson"
writes:
> Hi all,
>
> Hopefully this post wont cause as much SPAM as my last one. About a
> year ago I started looking into DNSSEC and how to work with it for
> dynamic updates etc. Since only NSEC was supported, allowing whomever
> to do a unauthorized zone-transfer I canceled my projects later
> finding out that NSEC3 would stop the behavior.
One really needs to look at the cost benefit analysis to
decide whether to use NSEC or NSEC3. NSEC3 is much more
expensive than NSEC3 for both authoritative servers and
validators than NSEC. There are almost no zone that need
that level of protection.
Stopping AXFR/IXFR has almost zero cost so for many people
it has become reflex without any need to justify it. Stopping
zone enumeration has a relatively high cost.
Note for many servers stopping AXFR/IXFR was not about the
zone content and more about preserving file descriptors for
use by the slaves and legitimate TCP clients rather than the
curious.
> With the release of BIND 9.6 my understanding is that NSEC3 is now
> supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty
> clueless as whether there's any magic sauce to get NSEC3 records vs.
> NSEC.
>
> If anyone has a pointer that would be of help, I've tried using
> NSEC3RSASHA1 keys without success of getting NSEC3 records.
NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when
signing the zone. You need to tell dnssec-signzone which
one to use.
dnssec-signzone -3 salt [-H iterations] [-A] ....
> Thx
>
> /Jonathan
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list