On 2010-09-21 16:46, Kalman Feher wrote: > If you don't > want someone to know it, don't make it public (at the very least). I agree totally!
> You'll have to accept that no matter what steps you take, your public > information will be available to those who wish to find it. I agree. But I'd argue that there are different "grades" of public information. My home phone number is public. You can look it up in the (paper or electronic) phonebook. That doesn't mean I'll put it in the footer of every mail/facebook/twitter I send out. Hell, I even use an alias to post to newsgroups instead of my real name. And sure you can figure out who I am, that info is publicly available somewhere (despite my efforts), but I'm not going to hand it to you on a plate. In that sense, I still believe that using NSEC3 over NSEC adds another barrier to those who want to walk your zone. And while it's possible (you could even argue "easy") to overcome, it's yet another speed bump. The whole point of NSEC3 was to make zone walking as difficult as brute-forcing the server, not to make it impossible. > Taking steps to > prevent that is likely to waste more of your time than it will of those > looking. Unless you're calculating the NSEC3 hashes by hand, it took me under 1 minute to add an NSEC3PARAM RRset to my zone. And I'm fairly confident that it will take at least 1 minute longer to walk an NSEC3 zone than an NSEC zone. Greets, Niobos _______________________________________________ bind-users mailing list email@example.com https://lists.isc.org/mailman/listinfo/bind-users