Magic for NSEC3
Jonathan Petersson
jpetersson at garnser.se
Sun Jan 4 01:28:28 UTC 2009
Thanks for your input
/Jonathan
On Jan 3, 2009, at 16:13, Mark Andrews <Mark_Andrews at isc.org> wrote:
>
> In message
> <fa2e1350901031122w75768929h3b17e0a47b806b17 at mail.gmail.com>,
> "Jonathan Petersson"
> writes:
>> Hi all,
>>
>> Hopefully this post wont cause as much SPAM as my last one. About a
>> year ago I started looking into DNSSEC and how to work with it for
>> dynamic updates etc. Since only NSEC was supported, allowing whomever
>> to do a unauthorized zone-transfer I canceled my projects later
>> finding out that NSEC3 would stop the behavior.
>
> One really needs to look at the cost benefit analysis to
> decide whether to use NSEC or NSEC3. NSEC3 is much more
> expensive than NSEC3 for both authoritative servers and
> validators than NSEC. There are almost no zone that need
> that level of protection.
>
> Stopping AXFR/IXFR has almost zero cost so for many people
> it has become reflex without any need to justify it. Stopping
> zone enumeration has a relatively high cost.
>
> Note for many servers stopping AXFR/IXFR was not about the
> zone content and more about preserving file descriptors for
> use by the slaves and legitimate TCP clients rather than the
> curious.
>
>> With the release of BIND 9.6 my understanding is that NSEC3 is now
>> supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty
>> clueless as whether there's any magic sauce to get NSEC3 records vs.
>> NSEC.
>>
>> If anyone has a pointer that would be of help, I've tried using
>> NSEC3RSASHA1 keys without success of getting NSEC3 records.
>
> NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when
> signing the zone. You need to tell dnssec-signzone which
> one to use.
>
> dnssec-signzone -3 salt [-H iterations] [-A] ....
>
>> Thx
>>
>> /Jonathan
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list