NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Phil Mayers p.mayers at imperial.ac.uk
Wed Mar 7 09:27:49 UTC 2012

On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote:

> I also find it a bit strange that BIND decides to go for NSEC, even when
> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).

AS I understand it, NSEC3 incurs overhead at validating resolvers. That 
being the case, it is unfriendly to use it unless you really need it, 
because you're increasing the load on everyone else.

It's unclear to me how many people have genuine concerns with zone 
walking that NSEC3 is an appropriate response to; putting sensitive 
names in a private subdomain or using split DNS would seems to be 
"safer" if you're concerned about tex hax0rs getting a list of all your 
machines (and don't forget to remove them all from reverse DNS, which 
takes minutes to walk given a target /16)

More information about the bind-users mailing list