[Pdns-users] DNSSEC NSEC vs. NSEC3 broad vs. inclusive vs. narrow
Kevin Olbrich
ko at sv01.de
Mon Oct 29 12:14:21 UTC 2018
Hi!
I read this doc:
https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html
PowerDNS Authoritative Server 4.1.1
Currently all zones are DNSSEC signed with NSEC by default.
We noticed a problem with non-existent CAA records: The zone is native and
replicated via AXFR to an external service.
If I query the master, the result is "not found". If I query the external
server, it replies with SRVFAIL.
This changes as soon as I set a CAA, the lookup succeeds.
I think I have narrowed it down to NSEC. As NSEC3 makes zone-walking more
difficult, I would like to switch.
I tried "pdnsutil set-nsec3 example.com" which set some default values and
changed zone from NSEC to NSEC3.
Before I do this change with 600+ Zones, what is the best practice setting
for NSEC/NSEC3?
The docs state broad vs. inclusive vs. narrow but without any more
information.
And finally: Would this solve the CAA with replication problem?
Thank you very much.
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181029/490b1d2a/attachment.html>
More information about the Pdns-users
mailing list