[Pdns-users] NSEC3 Narrow Mode

bert hubert bert.hubert at netherlabs.nl
Tue Apr 9 10:00:24 UTC 2013

On Tue, Apr 09, 2013 at 11:28:28AM +0200, Klaus Darilion wrote:
> It seems the term "narrow" is not a general NSEC3 term, but a PDNS
> term. Unfortunately I could not find a description what "narrow" vs.
> "non-narrow" means. Maybe someone can describe this or extend the
> docs (and if "narrow" is related to "opt-out" or not).

Hi Klaus,

Good catch. To answer the question what is NSEC3 narrow mode, the best we
offer right now is in paragraph 4.1 of the documentation,
http://doc.powerdns.com/html/powerdnssec.html :

"NSEC3 in 'narrow' mode uses additional hashing calculations to provide
 hashed secure denial of existence 'on the fly', without further involving
 the database."

So, whereas we normally trawl the database to find the two hashes that form
an NSEC3 range, in narrow mode we emit a '1 byte wide' range that covers the

Perhaps look at this as RFC 4470 for RFC 5155. It has some precedent in Dan
Kaminsky's Phreebird http://dankaminsky.com/phreebird/


PowerDNS Website: http://www.powerdns.com/

More information about the Pdns-users mailing list