[Pdns-users] NSEC3 Narrow Mode

Klaus Darilion klaus.mailinglists at pernau.at
Wed Apr 10 08:58:15 UTC 2013

On 09.04.2013 21:49, bert hubert wrote:
> On Apr 9, 2013, at 3:37 PM, Klaus Darilion wrote:
>>> "NSEC3 in 'narrow' mode uses additional hashing calculations to
>>> provide hashed secure denial of existence 'on the fly', without
>>> further involving the database."
>> Ah, I missed section 4.1.
> It is only one line, so easy enough to miss.
>> o not see any NSEC3 specific configuration. So which mode is used
>> then? We use PDNS as secondary, thus the database is filled by
>> PowerDNS on zone transfers. I see that the records.ordername column
>> is filled with hashes, thus I guess it is using either 'broad' or
>> 'inclusive' mode. How do I know which one is used, and does it
>> actually matter which mode is used (what is the difference betwenn
>> 'broad' and 'inclusive')?
> If you run a secondary over AXFR, your zone will be pre-signed (if
> the actual signing happens on the master). In that case the secondary
> does not have the keys and can't do 'narrow' mode.
> pdnssec show-zone will give you all the details.
> The difference is mostly one of performance, although this is not
> black or white - some people have reported narrow to be faster,
> although it should be somewhat slower in many cases. All in all it
> does not matter that much.

# pdnssec show-zone example.at
Zone has hashed NSEC3 semantics, configuration: 1 1 10 beef
Zone is presigned
No keys for zone 'example.at'.

So, as expected it is not in "narrow" mode. But which mode is it? 
'broad' or 'inclusive' mode? And what is the difference between 'broad' 
and 'inclusive' mode?

I think it would be nice to add the terms "narrow/broad/inclusive" also 
to the output.


More information about the Pdns-users mailing list