> > It probably does not play well with DNSSEC, although I was thinking > > about whether some amount of wildcards in the signed reverse could > > help, but I don't think so. > > Well, what if the reverse is an NSEC3.... does that let the server > make up stuff with having to sign it all? I don't think so, but > I'm thinking out loud here.
Not sure what you're thinking of here. "A reverse" is, I think, most often thought to be a PTR record, so it can't be an NSEC3 record. A DNS reply which includes the NSEC3 records is typically given as part of an "authenticated denial of existence" response, i.e. the server expresses "there is no name in the zone matching the queried- for name, and there is no name between those names with these hashes in the zone", and the status code in the reply is then NXDOMAIN. This also means that no wildcard record in the zone matched the queried-for name. The publishing name server then has no way to "make up stuff", and there's no need to sign anything on the fly -- the NSEC3 records and their signatures can be pre-computed when the zone contents is known (typically when it is loaded). Regards, - Håvard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users