NSEC3 support for BIND
Mark Andrews
Mark_Andrews at isc.org
Sun Nov 11 21:11:55 UTC 2007
> On Sun, Nov 11, 2007 at 05:35:17PM +1100,
> Mark Andrews <Mark_Andrews at isc.org> wrote
> a message of 46 lines which said:
>
> > The root zone is a classic counter example. AXFR is denied
>
> Not the ideal example. At least four servers of the root (B, C, F and
> G) allows AXFR.
The policy says it's denied. Individual operators look at the
load that this causes on their servers and decide if they can
accept the load w/o compromising the service. The individual
operators can turn AXFR off at anytime.
There are multiple reasons people turn off AXFR. Also it
generally does no harm to turn AXFR off. The same cannot
be said of turning on NSEC3. It definitely has a negative
performance impact on both the authoritative server and
on the validating resolver.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list