[Pdns-dev] CloudFlare NSEC black lies - any plans for support?

Cristian Seres cristian-2 at contrasec.fi
Thu Jul 21 11:00:36 UTC 2016

21.07.2016, 13:02, bert hubert kirjoitti:

> Hi Cristian,
> You mean NSEC3 narrow from
> https://doc.powerdns.com/md/authoritative/dnssec/#online-signing ?

Hi Bert,

no, I mean the CloudFlare's solution that is rather different. According 
to the link I sent this approach has following benefits:
- minimal information revealed, missing name \000 sent as the next name 
in NSEC reply and using NODATA, also no need for additional NSEC for the 
- prevents zone walking unlike NSEC3 which only makes it harder
- the size of a negative reply is only a fraction of traditional NSEC reply

I know about the NSEC3 narrow mode in PowerDNS. I suppose that's the 
best available option to decrease information leak at the moment. 
RFC7129 appendix B calls them "NSEC3 White Lies" which is more commonly 
used term than narrow mode, I think.

With best regards,

Cristian Seres

More information about the Pdns-dev mailing list