[dns-operations] signing a zone with NSEC3 records.

Mark Andrews marka at isc.org
Thu Sep 10 08:41:37 UTC 2009

In message <20090910065041.GP19795 at dot.freshdot.net>, Sander Smeenk writes:
> Quoting Samuel Weiler (weiler at watson.org):
> > Unless you have a specific need for NSEC3, use NSEC. unless you
> > specifically need it, avoid the complexity.
> Maybe it's worth mentioning that with NSEC your zone can be 'spidered',
> e.g. i could make an overview of all labels in your zone based on NSEC
> records. It's somewhat like allowing AXFR from anyone on your zone(s).

So what?  Blocking AXFR does nothing for security though most
security consultants will say that it does.

> Personally i don't think NSEC3 is so much more 'complex', though it does
> grow your (signed) zonefile significantly.

It is significantly more complex and more expensive operationally
for both the authoritative servers and the validating resolvers.
Unless you really need the features NSEC3 brings there is no point
in using it.


Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list