[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Sep 28 16:28:01 UTC 2012


On Sep 28, 2012, at 2:04 , Phil Pennock wrote:

>> What authoritative server crypto work for NSEC3 is that?  Aren't NSEC3s
>> pre-computed by dnssec-signzone or equivalent?  Check references to
>> NSEC3 in your favorite hit in https://www.google.com/search?q=dnssec-signzone
> Er, I confused minimal covering NSEC (RFC 4470) with NSEC3 (RFC 5155).
> Sorry.
> Does anyone have stats on RFC 4470 deployment?  Has it reached
> "ignorable" status?

Minimal covering NSEC3 (no RFC that I know of) is supported in PowerDNS (we
call it NSEC3-NARROW). Reportedly, people are using it when their data is
dynamic. I do not have deployment stats, but I can ask around. I don't think 
white lies are going away anytime soon.

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

More information about the dns-operations mailing list