[Pdns-dev] CloudFlare NSEC black lies - any plans for support?
Cristian Seres
cristian-2 at contrasec.fi
Thu Jul 21 11:00:36 UTC 2016
21.07.2016, 13:02, bert hubert kirjoitti:
> Hi Cristian,
>
> You mean NSEC3 narrow from
> https://doc.powerdns.com/md/authoritative/dnssec/#online-signing ?
Hi Bert,
no, I mean the CloudFlare's solution that is rather different. According
to the link I sent this approach has following benefits:
- minimal information revealed, missing name \000 sent as the next name
in NSEC reply and using NODATA, also no need for additional NSEC for the
wildcard
- prevents zone walking unlike NSEC3 which only makes it harder
- the size of a negative reply is only a fraction of traditional NSEC reply
I know about the NSEC3 narrow mode in PowerDNS. I suppose that's the
best available option to decrease information leak at the moment.
RFC7129 appendix B calls them "NSEC3 White Lies" which is more commonly
used term than narrow mode, I think.
With best regards,
--
Cristian Seres
More information about the Pdns-dev
mailing list