[dns-operations] signing a zone with NSEC3 records.

Sander Smeenk ssmeenk at freshdot.net
Thu Sep 10 08:55:42 UTC 2009

Quoting Mark Andrews (marka at isc.org):

> > Maybe it's worth mentioning that with NSEC your zone can be 'spidered',
> So what?  Blocking AXFR does nothing for security though most
> security consultants will say that it does.

You could call it security-through-obscurity. I'm no big fan of such
'securitymeasures' either, but as you stated, some securityconsultants
find it very important to not 'leak' zone data and/or version info.

> > Personally i don't think NSEC3 is so much more 'complex', though it
> > does grow your (signed) zonefile significantly.
> It is significantly more complex and more expensive operationally
> for both the authoritative servers and the validating resolvers.

I was talking about 'implementing NSEC3 in zones' not being complex.
Not specifically the impact on resolvers/authservers.

As stated by Bert, NSEC3 does make debugging problems harder, and yes, i
do agree that unless you really need NSEC3, don't use it. Of course
playing around with it so you know what it does is never a bad idea... ;)

I just thought it was worth pointing out the spidering-zones-bit ;)

| With her marriage she got a new name and a dress.  
| 4096R/6D40 - 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

More information about the dns-operations mailing list