[dns-operations] signing a zone with NSEC3 records.
marka at isc.org
Thu Sep 10 11:50:28 UTC 2009
In message <20090910091956.GC11045 at nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Sep 10, 2009 at 06:41:37PM +1000,
> Mark Andrews <marka at isc.org> wrote
> a message of 32 lines which said:
> > So what? Blocking AXFR does nothing for security though most
> > security consultants will say that it does.
> BTW, zone transfer fails on every authoritative name server of
It's not being done to prevent the zone content being visible. You
will note we sign isc.org with NSEC not NSEC3. The servers themselves
serve other zones where is has been requested that AXFR be denied
so it is simpler to block all zones that do it on a per zone basis.
Note: I am not involved in the day to day running of these servers.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations