[Pdns-users] NSEC3 Narrow Mode
bert hubert
bert.hubert at netherlabs.nl
Tue Apr 9 10:00:24 UTC 2013
On Tue, Apr 09, 2013 at 11:28:28AM +0200, Klaus Darilion wrote:
> It seems the term "narrow" is not a general NSEC3 term, but a PDNS
> term. Unfortunately I could not find a description what "narrow" vs.
> "non-narrow" means. Maybe someone can describe this or extend the
> docs (and if "narrow" is related to "opt-out" or not).
Hi Klaus,
Good catch. To answer the question what is NSEC3 narrow mode, the best we
offer right now is in paragraph 4.1 of the documentation,
http://doc.powerdns.com/html/powerdnssec.html :
"NSEC3 in 'narrow' mode uses additional hashing calculations to provide
hashed secure denial of existence 'on the fly', without further involving
the database."
So, whereas we normally trawl the database to find the two hashes that form
an NSEC3 range, in narrow mode we emit a '1 byte wide' range that covers the
query.
Perhaps look at this as RFC 4470 for RFC 5155. It has some precedent in Dan
Kaminsky's Phreebird http://dankaminsky.com/phreebird/
Bert
--
PowerDNS Website: http://www.powerdns.com/
More information about the Pdns-users
mailing list