[Pdns-users] NSEC3 Narrow Mode

bert hubert bert.hubert at netherlabs.nl
Tue Apr 9 19:49:45 UTC 2013

On Apr 9, 2013, at 3:37 PM, Klaus Darilion wrote:
>> "NSEC3 in 'narrow' mode uses additional hashing calculations to provide
>>  hashed secure denial of existence 'on the fly', without further involving
>>  the database."
> Ah, I missed section 4.1.

It is only one line, so easy enough to miss.

> o not see any NSEC3 specific configuration. So which mode is used then? We use PDNS as secondary, thus the database is filled by PowerDNS on zone transfers. I see that the records.ordername column is filled with hashes, thus I guess it is using either 'broad' or 'inclusive' mode. How do I know which one is used, and does it actually matter which mode is used (what is the difference betwenn 'broad' and 'inclusive')?

If you run a secondary over AXFR, your zone will be pre-signed (if the actual signing happens on the master). In that case the secondary does not have the keys and can't do 'narrow' mode.

pdnssec show-zone will give you all the details. 

The difference is mostly one of performance, although this is not black or white - some people have reported narrow to be faster, although it should be somewhat slower in many cases. All in all it does not matter that much.


More information about the Pdns-users mailing list