<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi!</div><div dir="ltr"><br></div><div dir="ltr">Thank you very much!<br><div><br></div><div>These zones only contain records that can be public. None of them need to be hidden (why hide DNS? IP will still be reachable on it's own).</div><div>It's just, that I was shocked that I leak more data with DNSSEC then without it (sure, DNSSEC has more pro's then con's).</div><div>On an apache server, you would disable the version string, just because nobody needs to know, since the admin will already know through other sources.</div><div><br></div><div>As I am not familiar with the process behind NSEC and NSEC3, what is the way to go? Keep NSEC or move to NSEC3?</div><div><br></div><div>If zone walking is no concern, which mode is more compatible with AXFR to foreign servers?</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">If you don’t care that someone might enumerate every name in your zone(zone walk), then use NSEC.</blockquote><div>Source: <a href="https://www.internetsociety.org/resources/deploy360/2014/dnssecnsec-vs-nsec3/">https://www.internetsociety.org/resources/deploy360/2014/dnssecnsec-vs-nsec3/</a></div><div><br></div><div>Actually none of them should cause the problem I have.</div><div><br></div><div>I am just confused as my main problem is the CAA SRVFAIL on AXFR-slaves because of DNSSEC validation problems (which must involve NSEC because the record is not set).</div><div><br></div><div>Kevin<br><br><div class="gmail_quote"><div dir="ltr">Am Mo., 29. Okt. 2018 um 14:09 Uhr schrieb Aki Tuomi <<a href="mailto:cmouse@cmouse.fi">cmouse@cmouse.fi</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>While the DNSCurve page provides excellent information about how
your DNS data can be figured out using NSEC/NSEC3, it does fail to
answer why DNS data should be considered private in the first
place.</p>
<p>If your security model relies on people not finding out your
magical DNS record names, you might want consider again.</p>
<p>Aki<br>
</p>
<div class="gmail-m_-9087636497804936309moz-cite-prefix">On 29.10.2018 14.39, Kevin Olbrich
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi again,
<div><br>
</div>
<div>I have now updated to Pdns 4.1.4 and will test if the
problem is still present.</div>
<div><br>
</div>
<div>In the meantime I read this doc:</div>
<div><a href="https://dnscurve.org/espionage2.html" target="_blank">https://dnscurve.org/espionage2.html</a></div>
<div><br>
</div>
<div>Now I am unsure if NSEC3 is the way to go.</div>
<div>What's best practice?</div>
<div><br>
</div>
<div>Kevin<br>
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">Am Mo., 29. Okt. 2018 um 13:14 Uhr
schrieb Kevin Olbrich <<a href="mailto:ko@sv01.de" target="_blank">ko@sv01.de</a>>:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi!</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">I read this doc:
<div><a href="https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html" target="_blank">https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html</a><br>
</div>
<div><br>
</div>
<div>PowerDNS Authoritative Server 4.1.1<br>
</div>
<div><br>
</div>
<div>Currently all zones are DNSSEC signed
with NSEC by default.</div>
<div>We noticed a problem with
non-existent CAA records: The zone is
native and replicated via AXFR to an
external service.</div>
<div>If I query the master, the result is
"not found". If I query the external
server, it replies with SRVFAIL.</div>
<div>This changes as soon as I set a CAA,
the lookup succeeds.</div>
<div><br>
</div>
<div>I think I have narrowed it down to
NSEC. As NSEC3 makes zone-walking more
difficult, I would like to switch.</div>
<div>I tried "pdnsutil set-nsec3 <a href="http://example.com" target="_blank">example.com</a>"
which set some default values and
changed zone from NSEC to NSEC3.</div>
<div><br>
</div>
<div>Before I do this change with 600+
Zones, what is the best practice setting
for NSEC/NSEC3?</div>
<div>The docs state broad vs. inclusive
vs. narrow but without any more
information.</div>
<div><br>
</div>
<div>And finally: Would this solve the CAA
with replication problem?</div>
<div><br>
</div>
<div>Thank you very much.</div>
<div><br>
</div>
<div>Kevin</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="gmail-m_-9087636497804936309mimeAttachmentHeader"></fieldset>
<pre class="gmail-m_-9087636497804936309moz-quote-pre">_______________________________________________
Pdns-users mailing list
<a class="gmail-m_-9087636497804936309moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a>
<a class="gmail-m_-9087636497804936309moz-txt-link-freetext" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a>
</pre>
</blockquote>
</div>
</blockquote></div></div></div></div></div></div></div></div>