Op 06-03-12 15:04, Carlos Martinez-Cagnazzo schreef: > Hello, > > The one difference that comes to mind is that NSEC3 doesn't make a lot > sense in the reverse space, as anyone can walk the zones anyway, so we > (LACNIC) will be using NSEC for signed negative responses.
What are the benefits of using NSEC over NSEC3? I realize that NSEC3 is more complicated in theory, but is there any real difference in practice? OpenDNSSEC does all the hard work for me. Differentiating between NSEC and NSEC3 would make my environment more complicated and I don't think that outweighs the simplicity of NSEC. While I understand the argument that an IPv4-reverse zone is trivially enumerated, that will change when IPv6 becomes more common. Naively trying every IP is just not feasible anymore. In that case NSEC will actually be helpfull in finding adresses that are assigned. -- Casper Gielen <[email protected]> | LIS UNIX PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
