[Pdns-dev] CloudFlare NSEC black lies - any plans for support?

bert hubert bert.hubert at powerdns.com
Thu Jul 21 11:20:44 UTC 2016

On Thu, Jul 21, 2016 at 02:00:36PM +0300, Cristian Seres wrote:
> no, I mean the CloudFlare's solution that is rather different. According to
> the link I sent this approach has following benefits:
> - minimal information revealed, missing name \000 sent as the next name in
> NSEC reply and using NODATA, also no need for additional NSEC for the
> wildcard
> - prevents zone walking unlike NSEC3 which only makes it harder
> - the size of a negative reply is only a fraction of traditional NSEC reply

Well, patches are welcome! We can coordinate on #powerdns our IRC channel if
you want.

> I know about the NSEC3 narrow mode in PowerDNS. I suppose that's the best
> available option to decrease information leak at the moment. RFC7129
> appendix B calls them "NSEC3 White Lies" which is more commonly used term
> than narrow mode, I think.

We used it way before RFC7129, which may explain.


More information about the Pdns-dev mailing list