<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>While the DNSCurve page provides excellent information about how
your DNS data can be figured out using NSEC/NSEC3, it does fail to
answer why DNS data should be considered private in the first
place.</p>
<p>If your security model relies on people not finding out your
magical DNS record names, you might want consider again.</p>
<p>Aki<br>
</p>
<div class="moz-cite-prefix">On 29.10.2018 14.39, Kevin Olbrich
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+gLzy_W1NOyn_C4W6pWq-ZVuiHYgc8=i1Li_aU-M2BkNDfcvg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi again,
<div><br>
</div>
<div>I have now updated to Pdns 4.1.4 and will test if the
problem is still present.</div>
<div><br>
</div>
<div>In the meantime I read this doc:</div>
<div><a href="https://dnscurve.org/espionage2.html"
moz-do-not-send="true">https://dnscurve.org/espionage2.html</a></div>
<div><br>
</div>
<div>Now I am unsure if NSEC3 is the way to go.</div>
<div>What's best practice?</div>
<div><br>
</div>
<div>Kevin<br>
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">Am Mo., 29. Okt. 2018 um 13:14 Uhr
schrieb Kevin Olbrich <<a
href="mailto:ko@sv01.de" moz-do-not-send="true">ko@sv01.de</a>>:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi!</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">I read this doc:
<div><a
href="https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html"
target="_blank" moz-do-not-send="true">https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html</a><br>
</div>
<div><br>
</div>
<div>PowerDNS Authoritative Server 4.1.1<br>
</div>
<div><br>
</div>
<div>Currently all zones are DNSSEC signed
with NSEC by default.</div>
<div>We noticed a problem with
non-existent CAA records: The zone is
native and replicated via AXFR to an
external service.</div>
<div>If I query the master, the result is
"not found". If I query the external
server, it replies with SRVFAIL.</div>
<div>This changes as soon as I set a CAA,
the lookup succeeds.</div>
<div><br>
</div>
<div>I think I have narrowed it down to
NSEC. As NSEC3 makes zone-walking more
difficult, I would like to switch.</div>
<div>I tried "pdnsutil set-nsec3 <a
href="http://example.com"
target="_blank" moz-do-not-send="true">example.com</a>"
which set some default values and
changed zone from NSEC to NSEC3.</div>
<div><br>
</div>
<div>Before I do this change with 600+
Zones, what is the best practice setting
for NSEC/NSEC3?</div>
<div>The docs state broad vs. inclusive
vs. narrow but without any more
information.</div>
<div><br>
</div>
<div>And finally: Would this solve the CAA
with replication problem?</div>
<div><br>
</div>
<div>Thank you very much.</div>
<div><br>
</div>
<div>Kevin</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Pdns-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a>
<a class="moz-txt-link-freetext" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a>
</pre>
</blockquote>
</body>
</html>