***UNCHECKED*** Re: DNSSEC implementation on IPv6 PTR Zones
raf
bind at raf.org
Sat Nov 20 01:15:00 UTC 2021
On Thu, Nov 18, 2021 at 09:47:03AM -0700, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> On 11/18/21 3:14 AM, Mark Elkins wrote:
> > With IPv6 - you might want to use NSEC3 - as there can be huge holes in
> > the reverse zone. Make the bad guy work at guessing what is in the zone.
>
> Be mindful of current efforts for minimizing NSEC3 rounds / iterations which
> purportedly have a diminishing RoI for higher counts.
> --
> Grant. . . .
> unix || die
According to "Guidance for NSEC3 parameter settings"
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00
the recommendation is:
nsec3param iterations 0 optout no salt-length 0;
cheers,
raf
More information about the bind-users
mailing list