[Pdns-users] Huge PDNS+DNSSEC setup-Need help

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Apr 13 08:58:00 UTC 2012


On Apr 13, 2012, at 10:37 , PARTH MONGA wrote:

> That for sure i will go with NSEC3 but whom to actually  hit 
> NSEC3-inclusive or NSEC3-narrow
> Please advice as not able to figure the difference between both NSEC3 modes.

Benefits of narrow mode:
- order name field does not matter (auth field still does)
- no brute forcing calculation of names in your zones

Downsides of narrow mode:
- you cannot have AXFR slaves, all slaves need to be NATIVE (which would work for you)

Benefits of inclusive mode:
- behaviour is closer to what other name servers do, easier to understand when you get a DNSSEC expert to debug something
- receives more testing than narrow
Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

More information about the Pdns-users mailing list