[dns-operations] signing a zone with NSEC3 records.

Mark Andrews marka at isc.org
Thu Sep 10 11:50:28 UTC 2009

In message <20090910091956.GC11045 at nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Sep 10, 2009 at 06:41:37PM +1000,
>  Mark Andrews <marka at isc.org> wrote 
>  a message of 32 lines which said:
> > So what?  Blocking AXFR does nothing for security though most
> > security consultants will say that it does.
> BTW, zone transfer fails on every authoritative name server of
> isc.org.

It's not being done to prevent the zone content being visible.  You
will note we sign isc.org with NSEC not NSEC3.  The servers themselves
serve other zones where is has been requested that AXFR be denied
so it is simpler to block all zones that do it on a per zone basis.

Note:  I am not involved in the day to day running of these servers.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list