nsec and nsec3 records
marka at isc.org
Mon Jun 15 02:22:44 UTC 2009
In message <e754e90906130925m6d9f723eh71090a331a4270c0 at mail.gmail.com>, R Dicai
> Hi folks,
> Can both nsec and nsec3 records be used simultaneously in a zone file,
> or is it an either/or?
NSEC and NSEC3 chains are expected to exist in a zone during
a incremental transition between the two ways of negatively
signing a zone. If there is a complete NSEC3 chain (indicated
by a NSEC3PARAM record at the zone apex) servers are supposed
to return NSEC3 proofs.
NSEC3 is more expensive that NSEC is and really should not
be used unless you need the features NSEC3 provide. There
are additional cost on both the authoritative servers and
on the validating servers when you use NSEC3.
TLD's can make use of OPTOUT which is why you see ORG and
GOV using NSEC3. End user zones generally can't make use
Unless you really need to hide the presence of names in a
zone then you shouldn't use NSEC3.
Note: NSEC3 is a waste of time for IN-ADDR.ARPA, IP6.ARPA
and RBL type zones which use IP addresses as they are highly
structured and you can enumnerate the contents without
walking the NSEC chain.
> aRDy Music and Rick Dicaire present:
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users