[dns-operations] signing a zone with NSEC3 records.
Sander Smeenk
ssmeenk at freshdot.net
Thu Sep 10 06:50:41 UTC 2009
Quoting Samuel Weiler (weiler at watson.org):
> Unless you have a specific need for NSEC3, use NSEC. unless you
> specifically need it, avoid the complexity.
Maybe it's worth mentioning that with NSEC your zone can be 'spidered',
e.g. i could make an overview of all labels in your zone based on NSEC
records. It's somewhat like allowing AXFR from anyone on your zone(s).
Personally i don't think NSEC3 is so much more 'complex', though it does
grow your (signed) zonefile significantly.
Regards,
-Sndr.
--
| If TCP/IP handshaking was less formal,
| perhaps SYN / ACK would be Yo! / 'sup? instead...
| 4096R/6D40 - 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
More information about the dns-operations
mailing list