[Pdns-users] DNSSEC NSEC vs. NSEC3 broad vs. inclusive vs. narrow

Kevin Olbrich ko at sv01.de
Mon Oct 29 15:37:06 UTC 2018


Thank you very much!

These zones only contain records that can be public. None of them need to
be hidden (why hide DNS? IP will still be reachable on it's own).
It's just, that I was shocked that I leak more data with DNSSEC then
without it (sure, DNSSEC has more pro's then con's).
On an apache server, you would disable the version string, just because
nobody needs to know, since the admin will already know through other

As I am not familiar with the process behind NSEC and NSEC3, what is the
way to go? Keep NSEC or move to NSEC3?

If zone walking is no concern, which mode is more compatible with AXFR to
foreign servers?

If you don’t care that someone might enumerate every name in your zone(zone
> walk), then use NSEC.


Actually none of them should cause the problem I have.

I am just confused as my main problem is the CAA SRVFAIL on AXFR-slaves
because of DNSSEC validation problems (which must involve NSEC because the
record is not set).


Am Mo., 29. Okt. 2018 um 14:09 Uhr schrieb Aki Tuomi <cmouse at cmouse.fi>:

> While the DNSCurve page provides excellent information about how your DNS
> data can be figured out using NSEC/NSEC3, it does fail to answer why DNS
> data should be considered private in the first place.
> If your security model relies on people not finding out your magical DNS
> record names, you might want consider again.
> Aki
> On 29.10.2018 14.39, Kevin Olbrich wrote:
> Hi again,
> I have now updated to Pdns 4.1.4 and will test if the problem is still
> present.
> In the meantime I read this doc:
> https://dnscurve.org/espionage2.html
> Now I am unsure if NSEC3 is the way to go.
> What's best practice?
> Kevin
> Am Mo., 29. Okt. 2018 um 13:14 Uhr schrieb Kevin Olbrich <ko at sv01.de>:
>> Hi!
>> I read this doc:
>> https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html
>> PowerDNS Authoritative Server 4.1.1
>> Currently all zones are DNSSEC signed with NSEC by default.
>> We noticed a problem with non-existent CAA records: The zone is native
>> and replicated via AXFR to an external service.
>> If I query the master, the result is "not found". If I query the external
>> server, it replies with SRVFAIL.
>> This changes as soon as I set a CAA, the lookup succeeds.
>> I think I have narrowed it down to NSEC. As NSEC3 makes zone-walking more
>> difficult, I would like to switch.
>> I tried "pdnsutil set-nsec3 example.com" which set some default values
>> and changed zone from NSEC to NSEC3.
>> Before I do this change with 600+ Zones, what is the best practice
>> setting for NSEC/NSEC3?
>> The docs state broad vs. inclusive vs. narrow but without any more
>> information.
>> And finally: Would this solve the CAA with replication problem?
>> Thank you very much.
>> Kevin
> _______________________________________________
> Pdns-users mailing listPdns-users at mailman.powerdns.comhttps://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181029/06526357/attachment-0001.html>

More information about the Pdns-users mailing list