[Pdns-users] DNSSEC NSEC vs. NSEC3 broad vs. inclusive vs. narrow
ko at sv01.de
Mon Oct 29 12:14:21 UTC 2018
I read this doc:
PowerDNS Authoritative Server 4.1.1
Currently all zones are DNSSEC signed with NSEC by default.
We noticed a problem with non-existent CAA records: The zone is native and
replicated via AXFR to an external service.
If I query the master, the result is "not found". If I query the external
server, it replies with SRVFAIL.
This changes as soon as I set a CAA, the lookup succeeds.
I think I have narrowed it down to NSEC. As NSEC3 makes zone-walking more
difficult, I would like to switch.
I tried "pdnsutil set-nsec3 example.com" which set some default values and
changed zone from NSEC to NSEC3.
Before I do this change with 600+ Zones, what is the best practice setting
The docs state broad vs. inclusive vs. narrow but without any more
And finally: Would this solve the CAA with replication problem?
Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users