NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
p.mayers at imperial.ac.uk
Wed Mar 7 09:27:49 UTC 2012
On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote:
> I also find it a bit strange that BIND decides to go for NSEC, even when
> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).
AS I understand it, NSEC3 incurs overhead at validating resolvers. That
being the case, it is unfriendly to use it unless you really need it,
because you're increasing the load on everyone else.
It's unclear to me how many people have genuine concerns with zone
walking that NSEC3 is an appropriate response to; putting sensitive
names in a private subdomain or using split DNS would seems to be
"safer" if you're concerned about tex hax0rs getting a list of all your
machines (and don't forget to remove them all from reverse DNS, which
takes minutes to walk given a target /16)
More information about the bind-users