[Re: NSEC3 support for BIND]

Daniel Migault mglt.biz at gmail.com
Fri Nov 9 10:56:45 UTC 2007 

hi
I am also interested in evaluating NSEC3 and see how it affects the
global performances of DNS / DNSSEC.
An evaluation of the added cost of NSEC3 might help us to decide
whether or not we can consider protection against zone walker or not
by using NSEC3.

I am used to BIND so testing NSEC3 on BIND would be easier for me, and
I am also interested on NSEC3 development on BIND.

Regards,

Daniel


> From: Mark Andrews <Mark_Andrews at isc.org>
> To: Paweł Tobiś <ptobis at interia.pl>
> Date: Fri, 09 Nov 2007 21:36:50 +1100
> Subject: Re: NSEC3 support for BIND
>
> >
> > >> Thus I'd like to ask if anybody is aware of an existing implementation
> > >> of this standard in BIND (can be a patch or a package)?
> > >> And are there plans to include an NSEC3 support into official BIND
> > >> release in the near future?
> > >>
> > >
> > >     NSEC3 is *NOT* a standard.  It is still a internet-draft.
> > >     The relevent draft is in ietf last call.
> > >
> > I didn't mean NSEC3 to be an official standard (yet), but a protocol
> > that evolved to quite coherent form. Maybe I should use another word.
> > >
> > >     B.T.W. what are your reasons for requiring NSEC3 over NSEC?
> > >
> > The reason is that NSEC3 is told to solve the zone enumeration problems.
>
> Why do you believe enumuration is a problem for you?
>
> Do you have a current zone for which you usage of that zone depends
> on the lack of enumeration?
>
> Remember NSEC3 is much more expensive for the validator than NSEC.
> Its use should be reserved for places where the lack of enumeration
> is critical.  NSEC3 should not be used just because it would be
> "nice".
>
> For the vast majority of zones being able to enumerate them is of
> little or no consequence.
>
> In 15 years I've yet to have a zone when stopping enumeration was
> critical to the use of that zone.  I've had zones where it was a
> nice thing to do but given the choice between publishing and
> enunmeration, publishing would will out everytime.
>
> > I'd like to estimate the costs of this improvement in the context of
> > performance.
> > I'm expecting this functionality in BIND since I have read the
> > presentation of Mr. Joao Damas entitled "Evolucao recente do BIND", in
> > which he mentioned that implementation of NSEC3 will be in version 9.5.
> >
> > Pawel Tobis
> >
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>
>
>
>



-- 
Daniel Migault
Francetelecom R&D
Security Lab
+33 (0) 1 45 29 60 52
+33 (0) 6 70 72 69 58

More information about the bind-users mailing list