Magic for NSEC3

Jonathan Petersson jpetersson at garnser.se
Sun Jan 4 01:28:28 UTC 2009 

Thanks for your input

/Jonathan


On Jan 3, 2009, at 16:13, Mark Andrews <Mark_Andrews at isc.org> wrote:

>
> In message  
> <fa2e1350901031122w75768929h3b17e0a47b806b17 at mail.gmail.com>,  
> "Jonathan Petersson"
> writes:
>> Hi all,
>>
>> Hopefully this post wont cause as much SPAM as my last one. About a
>> year ago I started looking into DNSSEC and how to work with it for
>> dynamic updates etc. Since only NSEC was supported, allowing whomever
>> to do a unauthorized zone-transfer I canceled my projects later
>> finding out that NSEC3 would stop the behavior.
>
>    One really needs to look at the cost benefit analysis to
>    decide whether to use NSEC or NSEC3.  NSEC3 is much more
>    expensive than NSEC3 for both authoritative servers and
>    validators than NSEC.  There are almost no zone that need
>    that level of protection.
>
>    Stopping AXFR/IXFR has almost zero cost so for many people
>    it has become reflex without any need to justify it.  Stopping
>    zone enumeration has a relatively high cost.
>
>    Note for many servers stopping AXFR/IXFR was not about the
>    zone content and more about preserving file descriptors for
>    use by the slaves and legitimate TCP clients rather than the
>    curious.
>
>> With the release of BIND 9.6 my understanding is that NSEC3 is now
>> supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty
>> clueless as whether there's any magic sauce to get NSEC3 records vs.
>> NSEC.
>>
>> If anyone has a pointer that would be of help, I've tried using
>> NSEC3RSASHA1 keys without success of getting NSEC3 records.
>
>    NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when
>    signing the zone.  You need to tell dnssec-signzone which
>    one to use.
>
>    dnssec-signzone -3 salt [-H iterations] [-A] ....
>
>> Thx
>>
>> /Jonathan
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list