[Pdns-users] NSEC3 opt-out issues in PDNS 3.2

Peter van Dijk peter.van.dijk at netherlabs.nl
Thu Mar 28 12:13:01 UTC 2013


Hello Klaus,

On Mar 28, 2013, at 12:03 , Klaus Darilion wrote:

> Meanwhile I found the important statement in the docu: "In NSEC3 opt-out mode (the only NSEC3 mode PowerDNS currently supports) ....".
> 
> Are there any plans to support NSEC3 without opt-out?

Yes - Kees Monshouwer has in fact written a great patch for it already. We will merge it as time permits. You can find it at https://github.com/Habbie/powerdns/pull/71

> Further, I wonder why and how Powerdns synthesis the NSEC3 records on the fly? In our setup PDNS is a secondary, the signing happens on the master. Thus, PDNS receives the zone with AXFR, including the NSEC3 records and the corresponding RRSIG records. Then, PDNS ignores all the NSEC3 records and synthesis them newly. Therefore there is great chance that the original signature does not work anymore, and that's also the reason why a zone without opt-out gets broken by PDNS.


Apart from opt out vs. no opt out, we have had zero reports of our synthesis breaking original signatures. I'll admit that it does not feel robust, but all modern signers appear to agree on what the canonical NSEC3 chain for a zone is.

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/





More information about the Pdns-users mailing list