[Pdns-users] DNSSEC NSEC vs. NSEC3 broad vs. inclusive vs. narrow

Aki Tuomi cmouse at cmouse.fi
Mon Oct 29 13:09:00 UTC 2018


While the DNSCurve page provides excellent information about how your
DNS data can be figured out using NSEC/NSEC3, it does fail to answer why
DNS data should be considered private in the first place.

If your security model relies on people not finding out your magical DNS
record names, you might want consider again.

Aki

On 29.10.2018 14.39, Kevin Olbrich wrote:
> Hi again,
>
> I have now updated to Pdns 4.1.4 and will test if the problem is still
> present.
>
> In the meantime I read this doc:
> https://dnscurve.org/espionage2.html
>
> Now I am unsure if NSEC3 is the way to go.
> What's best practice?
>
> Kevin
>
>
> Am Mo., 29. Okt. 2018 um 13:14 Uhr schrieb Kevin Olbrich <ko at sv01.de
> <mailto:ko at sv01.de>>:
>
>     Hi!
>
>     I read this doc:
>     https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html
>
>     PowerDNS Authoritative Server 4.1.1
>
>     Currently all zones are DNSSEC signed with NSEC by default.
>     We noticed a problem with non-existent CAA records: The zone is
>     native and replicated via AXFR to an external service.
>     If I query the master, the result is "not found". If I query the
>     external server, it replies with SRVFAIL.
>     This changes as soon as I set a CAA, the lookup succeeds.
>
>     I think I have narrowed it down to NSEC. As NSEC3 makes
>     zone-walking more difficult, I would like to switch.
>     I tried "pdnsutil set-nsec3 example.com <http://example.com>"
>     which set some default values and changed zone from NSEC to NSEC3.
>
>     Before I do this change with 600+ Zones, what is the best practice
>     setting for NSEC/NSEC3?
>     The docs state broad vs. inclusive vs. narrow but without any more
>     information.
>
>     And finally: Would this solve the CAA with replication problem?
>
>     Thank you very much.
>
>     Kevin
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181029/c257fdb9/attachment.html>


More information about the Pdns-users mailing list