[Pdns-users] DNSSEC NSEC vs. NSEC3 broad vs. inclusive vs. narrow

Kevin Olbrich ko at sv01.de
Mon Oct 29 12:39:43 UTC 2018

Hi again,

I have now updated to Pdns 4.1.4 and will test if the problem is still

In the meantime I read this doc:

Now I am unsure if NSEC3 is the way to go.
What's best practice?


Am Mo., 29. Okt. 2018 um 13:14 Uhr schrieb Kevin Olbrich <ko at sv01.de>:

> Hi!
> I read this doc:
> https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html
> PowerDNS Authoritative Server 4.1.1
> Currently all zones are DNSSEC signed with NSEC by default.
> We noticed a problem with non-existent CAA records: The zone is native and
> replicated via AXFR to an external service.
> If I query the master, the result is "not found". If I query the external
> server, it replies with SRVFAIL.
> This changes as soon as I set a CAA, the lookup succeeds.
> I think I have narrowed it down to NSEC. As NSEC3 makes zone-walking more
> difficult, I would like to switch.
> I tried "pdnsutil set-nsec3 example.com" which set some default values
> and changed zone from NSEC to NSEC3.
> Before I do this change with 600+ Zones, what is the best practice setting
> for NSEC/NSEC3?
> The docs state broad vs. inclusive vs. narrow but without any more
> information.
> And finally: Would this solve the CAA with replication problem?
> Thank you very much.
> Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181029/f6eeef6d/attachment.html>

More information about the Pdns-users mailing list