[Pdns-users] Huge PDNS+DNSSEC setup-Need help
Peter van Dijk
peter.van.dijk at netherlabs.nl
Fri Apr 13 08:58:00 UTC 2012
Hi,
On Apr 13, 2012, at 10:37 , PARTH MONGA wrote:
> That for sure i will go with NSEC3 but whom to actually hit
> NSEC3-inclusive or NSEC3-narrow
>
> Please advice as not able to figure the difference between both NSEC3 modes.
Benefits of narrow mode:
- order name field does not matter (auth field still does)
- no brute forcing calculation of names in your zones
Downsides of narrow mode:
- you cannot have AXFR slaves, all slaves need to be NATIVE (which would work for you)
Benefits of inclusive mode:
- behaviour is closer to what other name servers do, easier to understand when you get a DNSSEC expert to debug something
- receives more testing than narrow
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
More information about the Pdns-users
mailing list