[Pdns-users] NSEC3 Narrow Mode

Klaus Darilion klaus.mailinglists at pernau.at
Tue Apr 9 13:37:10 UTC 2013

Hi Bert!

On 09.04.2013 12:00, bert hubert wrote:
> On Tue, Apr 09, 2013 at 11:28:28AM +0200, Klaus Darilion wrote:
>> It seems the term "narrow" is not a general NSEC3 term, but a PDNS
>> term. Unfortunately I could not find a description what "narrow" vs.
>> "non-narrow" means. Maybe someone can describe this or extend the
>> docs (and if "narrow" is related to "opt-out" or not).
> Hi Klaus,
> Good catch. To answer the question what is NSEC3 narrow mode, the best we
> offer right now is in paragraph 4.1 of the documentation,
> http://doc.powerdns.com/html/powerdnssec.html :
> "NSEC3 in 'narrow' mode uses additional hashing calculations to provide
>   hashed secure denial of existence 'on the fly', without further involving
>   the database."

Ah, I missed section 4.1.

> So, whereas we normally trawl the database to find the two hashes that form
> an NSEC3 range, in narrow mode we emit a '1 byte wide' range that covers the
> query.
> Perhaps look at this as RFC 4470 for RFC 5155. It has some precedent in Dan
> Kaminsky's Phreebird http://dankaminsky.com/phreebird/

In our setup (built by somebody else) I do not see any NSEC3 specific 
configuration. So which mode is used then? We use PDNS as secondary, 
thus the database is filled by PowerDNS on zone transfers. I see that 
the records.ordername column is filled with hashes, thus I guess it is 
using either 'broad' or 'inclusive' mode. How do I know which one is 
used, and does it actually matter which mode is used (what is the 
difference betwenn 'broad' and 'inclusive')?


More information about the Pdns-users mailing list