NSEC3 support for BIND

Måns Nilsson mansaxel at kthnoc.net
Fri Nov 9 07:16:43 UTC 2007


--On torsdag, torsdag 8 nov 2007 14.04.25 +0100 Paweł Tobiś
<ptobis at interia.pl> wrote:
> The reason is that NSEC3 is told to solve the zone enumeration problems.

Zone enumeration is normally not a problem. If you experience performance
issues from zone walkers (not likely) set up a sacrifice server (whose
name/address is not in the relevant NS RRSET), which allows the world AXFR,
or, more manual work, set up a ftp server where registered users can get
the zone OOB. Problem solved. 

I happen to run a pair of name servers that help hand out a ccTLD that has
DNSSEC deployed. We have had our share of drama around "the zone is our
customer register and should be secret" and similar words, and we've had
our share of zone walkers. It is not a problem. Been there, done that, got
the T-shirt. 

-- 
MÃ¥ns Nilsson                     Systems Specialist
+46 70 681 7204   cell                       KTHNOC
+46 8 790 6518  office                  MN1334-RIPE

I would like to urinate in an OVULAR, porcelain pool --



More information about the bind-users mailing list