<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi again,<div><br></div><div>I have now updated to Pdns 4.1.4 and will test if the problem is still present.</div><div><br></div><div>In the meantime I read this doc:</div><div><a href="https://dnscurve.org/espionage2.html">https://dnscurve.org/espionage2.html</a></div><div><br></div><div>Now I am unsure if NSEC3 is the way to go.</div><div>What's best practice?</div><div><br></div><div>Kevin<br><div><br><br><div class="gmail_quote"><div dir="ltr">Am Mo., 29. Okt. 2018 um 13:14 Uhr schrieb Kevin Olbrich <<a href="mailto:ko@sv01.de">ko@sv01.de</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi!</div><div dir="ltr"><br></div><div dir="ltr">I read this doc:<div><a href="https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html" target="_blank">https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html</a><br></div><div><br></div><div>PowerDNS Authoritative Server 4.1.1<br></div><div><br></div><div>Currently all zones are DNSSEC signed with NSEC by default.</div><div>We noticed a problem with non-existent CAA records: The zone is native and replicated via AXFR to an external service.</div><div>If I query the master, the result is "not found". If I query the external server, it replies with SRVFAIL.</div><div>This changes as soon as I set a CAA, the lookup succeeds.</div><div><br></div><div>I think I have narrowed it down to NSEC. As NSEC3 makes zone-walking more difficult, I would like to switch.</div><div>I tried "pdnsutil set-nsec3 <a href="http://example.com" target="_blank">example.com</a>" which set some default values and changed zone from NSEC to NSEC3.</div><div><br></div><div>Before I do this change with 600+ Zones, what is the best practice setting for NSEC/NSEC3?</div><div>The docs state broad vs. inclusive vs. narrow but without any more information.</div><div><br></div><div>And finally: Would this solve the CAA with replication problem?</div><div><br></div><div>Thank you very much.</div><div><br></div><div>Kevin</div></div></div></div></div></div>
</blockquote></div></div></div></div></div></div>