[Pdns-users] DNSSEC NSEC vs. NSEC3 broad vs. inclusive vs. narrow
Kevin Olbrich
ko at sv01.de
Mon Oct 29 12:39:43 UTC 2018
Hi again,
I have now updated to Pdns 4.1.4 and will test if the problem is still
present.
In the meantime I read this doc:
https://dnscurve.org/espionage2.html
Now I am unsure if NSEC3 is the way to go.
What's best practice?
Kevin
Am Mo., 29. Okt. 2018 um 13:14 Uhr schrieb Kevin Olbrich <ko at sv01.de>:
> Hi!
>
> I read this doc:
> https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html
>
> PowerDNS Authoritative Server 4.1.1
>
> Currently all zones are DNSSEC signed with NSEC by default.
> We noticed a problem with non-existent CAA records: The zone is native and
> replicated via AXFR to an external service.
> If I query the master, the result is "not found". If I query the external
> server, it replies with SRVFAIL.
> This changes as soon as I set a CAA, the lookup succeeds.
>
> I think I have narrowed it down to NSEC. As NSEC3 makes zone-walking more
> difficult, I would like to switch.
> I tried "pdnsutil set-nsec3 example.com" which set some default values
> and changed zone from NSEC to NSEC3.
>
> Before I do this change with 600+ Zones, what is the best practice setting
> for NSEC/NSEC3?
> The docs state broad vs. inclusive vs. narrow but without any more
> information.
>
> And finally: Would this solve the CAA with replication problem?
>
> Thank you very much.
>
> Kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181029/f6eeef6d/attachment.html>
More information about the Pdns-users
mailing list