[Pdns-users] DNSSEC NSEC vs. NSEC3 broad vs. inclusive vs. narrow

Kevin Olbrich ko at sv01.de
Mon Oct 29 12:14:21 UTC 2018


I read this doc:

PowerDNS Authoritative Server 4.1.1

Currently all zones are DNSSEC signed with NSEC by default.
We noticed a problem with non-existent CAA records: The zone is native and
replicated via AXFR to an external service.
If I query the master, the result is "not found". If I query the external
server, it replies with SRVFAIL.
This changes as soon as I set a CAA, the lookup succeeds.

I think I have narrowed it down to NSEC. As NSEC3 makes zone-walking more
difficult, I would like to switch.
I tried "pdnsutil set-nsec3 example.com" which set some default values and
changed zone from NSEC to NSEC3.

Before I do this change with 600+ Zones, what is the best practice setting
The docs state broad vs. inclusive vs. narrow but without any more

And finally: Would this solve the CAA with replication problem?

Thank you very much.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181029/490b1d2a/attachment.html>

More information about the Pdns-users mailing list