nsec and nsec3 records

[Evan Hunt]

> Currently I'm using bind 9.4.x, with NSEC records, but looking to move
> to 9.6.1, in fact my slaves are already 9.6.1, but my master isn't
> yet. I've recently read where .org has been signed, and using NSEC3. I
> thought it might be a good idea to resign my zones using NSEC3, but
> was unaware if both NSEC and NSEC3 were acceptable.

NSEC and NSEC3 are both just methods for proving that a name doesn't
exist in a zone, so that if you get a negative answer you can be sure it
isn't a forgery.  The difference is, NSEC works by giving you the names
that *are* in the zone, whereas NSEC3 uses a one-way-hash on them,
concealing the actual names.

The only disadvantage of NSEC is it makes it possible for someone to "walk"
your zone and list off every record it contains.  Some people have a
problem with this.  NSEC3 closes that door, at some computational cost.

If you already have your zones signed with NSEC, and it isn't bothering
you that someone could enumerate them, then it probably isn't worthwhile
converting to NSEC3.

There is no advantage at all to using both.  If NSEC is there, your zone is
enumerable.

> Is it too soon to go NSEC3? No doubt a good portion of DNSSEC-aware
> resolvers arent NSEC3 capable yet, is this something I need to take
> into account?

Maybe.  I expect that to be a fairly short-term problem though, since major
TLD's are using NSEC3.  That's a pretty good reason for resolvers to come
into compliance.  (You might want to upgrade yours to 9.6.1.)

> I use ISCs DLV, is NSEC3 an issue for that?

It was, a while back.  It's fixed now.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.