[Pdns-users] dnssec related questions

Peter van Dijk peter.van.dijk at powerdns.com
Thu Sep 1 14:35:51 UTC 2016

Hello Peter,

On 26 Aug 2016, at 14:49, Keresztes Péter-Zoltán wrote:

> I was wondering when securing a zone if there is any security 
> difference between using nsec3 and nsec3-narrow beside the fact that 
> nsec3 needs the zone to be rectified after each change while 
> nsec3-narrow does not need that.

With NSEC3 (non-narrow), somebody can easily get all your NSEC3 records 
(of which you have roughly as many as there are names in your zone), and 
then do an offline brute force to find the actual names in your zones - 
more info at https://dnscurve.org/nsec3walker.html

Narrow prevents this by generating a very small (narrow) NSEC3 for every 
negative response, at a higher CPU cost, and terrible cache hit rates if 
somebody starts sending you random queries.

If you care about enumeration, narrow might be of interest (but keep in 
mind there are many ways for somebody to find out the contents of your 

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the Pdns-users mailing list