<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>While the DNSCurve page provides excellent information about how
      your DNS data can be figured out using NSEC/NSEC3, it does fail to
      answer why DNS data should be considered private in the first
      place.</p>
    <p>If your security model relies on people not finding out your
      magical DNS record names, you might want consider again.</p>
    <p>Aki<br>
    </p>
    <div class="moz-cite-prefix">On 29.10.2018 14.39, Kevin Olbrich
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CA+gLzy_W1NOyn_C4W6pWq-ZVuiHYgc8=i1Li_aU-M2BkNDfcvg@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">Hi again,
            <div><br>
            </div>
            <div>I have now updated to Pdns 4.1.4 and will test if the
              problem is still present.</div>
            <div><br>
            </div>
            <div>In the meantime I read this doc:</div>
            <div><a href="https://dnscurve.org/espionage2.html"
                moz-do-not-send="true">https://dnscurve.org/espionage2.html</a></div>
            <div><br>
            </div>
            <div>Now I am unsure if NSEC3 is the way to go.</div>
            <div>What's best practice?</div>
            <div><br>
            </div>
            <div>Kevin<br>
              <div><br>
                <br>
                <div class="gmail_quote">
                  <div dir="ltr">Am Mo., 29. Okt. 2018 um 13:14 Uhr
                    schrieb Kevin Olbrich <<a
                      href="mailto:ko@sv01.de" moz-do-not-send="true">ko@sv01.de</a>>:<br>
                  </div>
                  <blockquote class="gmail_quote" style="margin:0px 0px
                    0px 0.8ex;border-left:1px solid
                    rgb(204,204,204);padding-left:1ex">
                    <div dir="ltr">
                      <div dir="ltr">
                        <div dir="ltr">
                          <div dir="ltr">
                            <div dir="ltr">Hi!</div>
                            <div dir="ltr"><br>
                            </div>
                            <div dir="ltr">I read this doc:
                              <div><a
href="https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html"
                                  target="_blank" moz-do-not-send="true">https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html</a><br>
                              </div>
                              <div><br>
                              </div>
                              <div>PowerDNS Authoritative Server 4.1.1<br>
                              </div>
                              <div><br>
                              </div>
                              <div>Currently all zones are DNSSEC signed
                                with NSEC by default.</div>
                              <div>We noticed a problem with
                                non-existent CAA records: The zone is
                                native and replicated via AXFR to an
                                external service.</div>
                              <div>If I query the master, the result is
                                "not found". If I query the external
                                server, it replies with SRVFAIL.</div>
                              <div>This changes as soon as I set a CAA,
                                the lookup succeeds.</div>
                              <div><br>
                              </div>
                              <div>I think I have narrowed it down to
                                NSEC. As NSEC3 makes zone-walking more
                                difficult, I would like to switch.</div>
                              <div>I tried "pdnsutil set-nsec3 <a
                                  href="http://example.com"
                                  target="_blank" moz-do-not-send="true">example.com</a>"
                                which set some default values and
                                changed zone from NSEC to NSEC3.</div>
                              <div><br>
                              </div>
                              <div>Before I do this change with 600+
                                Zones, what is the best practice setting
                                for NSEC/NSEC3?</div>
                              <div>The docs state broad vs. inclusive
                                vs. narrow but without any more
                                information.</div>
                              <div><br>
                              </div>
                              <div>And finally: Would this solve the CAA
                                with replication problem?</div>
                              <div><br>
                              </div>
                              <div>Thank you very much.</div>
                              <div><br>
                              </div>
                              <div>Kevin</div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Pdns-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a>
<a class="moz-txt-link-freetext" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a>
</pre>
    </blockquote>
  </body>
</html>