[Re: NSEC3 support for BIND]

Mark Andrews Mark_Andrews at isc.org
Fri Nov 9 11:14:30 UTC 2007 

> hi
> I am also interested in evaluating NSEC3 and see how it affects the
> global performances of DNS / DNSSEC.
> An evaluation of the added cost of NSEC3 might help us to decide
> whether or not we can consider protection against zone walker or not
> by using NSEC3.

	If you are trying to make that decision then the cost is
	almost certainly too high.

> I am used to BIND so testing NSEC3 on BIND would be easier for me, and
> I am also interested on NSEC3 development on BIND.
> 
> Regards,
> 
> Daniel
> 
> 
> > From: Mark Andrews <Mark_Andrews at isc.org>
> > To: Pawe³ Tobi¶ <ptobis at interia.pl>
> > Date: Fri, 09 Nov 2007 21:36:50 +1100
> > Subject: Re: NSEC3 support for BIND
> >
> > >
> > > >> Thus I'd like to ask if anybody is aware of an existing implementation
> > > >> of this standard in BIND (can be a patch or a package)?
> > > >> And are there plans to include an NSEC3 support into official BIND
> > > >> release in the near future?
> > > >>
> > > >
> > > >     NSEC3 is *NOT* a standard.  It is still a internet-draft.
> > > >     The relevent draft is in ietf last call.
> > > >
> > > I didn't mean NSEC3 to be an official standard (yet), but a protocol
> > > that evolved to quite coherent form. Maybe I should use another word.
> > > >
> > > >     B.T.W. what are your reasons for requiring NSEC3 over NSEC?
> > > >
> > > The reason is that NSEC3 is told to solve the zone enumeration problems.
> >
> > Why do you believe enumuration is a problem for you?
> >
> > Do you have a current zone for which you usage of that zone depends
> > on the lack of enumeration?
> >
> > Remember NSEC3 is much more expensive for the validator than NSEC.
> > Its use should be reserved for places where the lack of enumeration
> > is critical.  NSEC3 should not be used just because it would be
> > "nice".
> >
> > For the vast majority of zones being able to enumerate them is of
> > little or no consequence.
> >
> > In 15 years I've yet to have a zone when stopping enumeration was
> > critical to the use of that zone.  I've had zones where it was a
> > nice thing to do but given the choice between publishing and
> > enunmeration, publishing would will out everytime.
> >
> > > I'd like to estimate the costs of this improvement in the context of
> > > performance.
> > > I'm expecting this functionality in BIND since I have read the
> > > presentation of Mr. Joao Damas entitled "Evolucao recente do BIND", in
> > > which he mentioned that implementation of NSEC3 will be in version 9.5.
> > >
> > > Pawel Tobis
> > >
> > >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> >
> >
> >
> >
> 
> 
> 
> -- 
> Daniel Migault
> Francetelecom R&D
> Security Lab
> +33 (0) 1 45 29 60 52
> +33 (0) 6 70 72 69 58
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list