[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?
Peter van Dijk
peter.van.dijk at netherlabs.nl
Fri Sep 28 16:28:01 UTC 2012
Hello,
On Sep 28, 2012, at 2:04 , Phil Pennock wrote:
>> What authoritative server crypto work for NSEC3 is that? Aren't NSEC3s
>> pre-computed by dnssec-signzone or equivalent? Check references to
>> NSEC3 in your favorite hit in https://www.google.com/search?q=dnssec-signzone
>
> Er, I confused minimal covering NSEC (RFC 4470) with NSEC3 (RFC 5155).
> Sorry.
>
> Does anyone have stats on RFC 4470 deployment? Has it reached
> "ignorable" status?
Minimal covering NSEC3 (no RFC that I know of) is supported in PowerDNS (we
call it NSEC3-NARROW). Reportedly, people are using it when their data is
dynamic. I do not have deployment stats, but I can ask around. I don't think
white lies are going away anytime soon.
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
More information about the dns-operations
mailing list