[dns-operations] signing a zone with NSEC3 records.
ssmeenk at freshdot.net
Thu Sep 10 08:55:42 UTC 2009
Quoting Mark Andrews (marka at isc.org):
> > Maybe it's worth mentioning that with NSEC your zone can be 'spidered',
> So what? Blocking AXFR does nothing for security though most
> security consultants will say that it does.
You could call it security-through-obscurity. I'm no big fan of such
'securitymeasures' either, but as you stated, some securityconsultants
find it very important to not 'leak' zone data and/or version info.
> > Personally i don't think NSEC3 is so much more 'complex', though it
> > does grow your (signed) zonefile significantly.
> It is significantly more complex and more expensive operationally
> for both the authoritative servers and the validating resolvers.
I was talking about 'implementing NSEC3 in zones' not being complex.
Not specifically the impact on resolvers/authservers.
As stated by Bert, NSEC3 does make debugging problems harder, and yes, i
do agree that unless you really need NSEC3, don't use it. Of course
playing around with it so you know what it does is never a bad idea... ;)
I just thought it was worth pointing out the spidering-zones-bit ;)
| With her marriage she got a new name and a dress.
| 4096R/6D40 - 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
More information about the dns-operations