[Pdns-users] NSEC3 Narrow Mode
klaus.mailinglists at pernau.at
Tue Apr 9 13:37:10 UTC 2013
On 09.04.2013 12:00, bert hubert wrote:
> On Tue, Apr 09, 2013 at 11:28:28AM +0200, Klaus Darilion wrote:
>> It seems the term "narrow" is not a general NSEC3 term, but a PDNS
>> term. Unfortunately I could not find a description what "narrow" vs.
>> "non-narrow" means. Maybe someone can describe this or extend the
>> docs (and if "narrow" is related to "opt-out" or not).
> Hi Klaus,
> Good catch. To answer the question what is NSEC3 narrow mode, the best we
> offer right now is in paragraph 4.1 of the documentation,
> http://doc.powerdns.com/html/powerdnssec.html :
> "NSEC3 in 'narrow' mode uses additional hashing calculations to provide
> hashed secure denial of existence 'on the fly', without further involving
> the database."
Ah, I missed section 4.1.
> So, whereas we normally trawl the database to find the two hashes that form
> an NSEC3 range, in narrow mode we emit a '1 byte wide' range that covers the
> Perhaps look at this as RFC 4470 for RFC 5155. It has some precedent in Dan
> Kaminsky's Phreebird http://dankaminsky.com/phreebird/
In our setup (built by somebody else) I do not see any NSEC3 specific
configuration. So which mode is used then? We use PDNS as secondary,
thus the database is filled by PowerDNS on zone transfers. I see that
the records.ordername column is filled with hashes, thus I guess it is
using either 'broad' or 'inclusive' mode. How do I know which one is
used, and does it actually matter which mode is used (what is the
difference betwenn 'broad' and 'inclusive')?
More information about the Pdns-users