I Agree with Casper, as a user of OpenDNSSec and NSEC3 I would get a more 'complicated' DNSSec-structure where one part is NSEC3 and the other NSEC.
Though I have not signed any reverse-zones yet, only my .se (sweden) zones. Just want to throw a question out to the list to get as many scenarios as possible: * What is the reason and benefit that you sign your IPv4 reverse zones? Regards, ++DG PS. My first mail to the list that I've been following along time. :) DS On 2012-03-07 11:30, "Casper Gielen" <[email protected]> wrote: >Op 06-03-12 15:04, Carlos Martinez-Cagnazzo schreef: >> Hello, >> >> The one difference that comes to mind is that NSEC3 doesn't make a lot >> sense in the reverse space, as anyone can walk the zones anyway, so we >> (LACNIC) will be using NSEC for signed negative responses. > >What are the benefits of using NSEC over NSEC3? >I realize that NSEC3 is more complicated in theory, but is there any >real difference in practice? OpenDNSSEC does all the hard work for me. > >Differentiating between NSEC and NSEC3 would make my environment more >complicated and I don't think that outweighs the simplicity of NSEC. > > >While I understand the argument that an IPv4-reverse zone is trivially >enumerated, that will change when IPv6 becomes more common. Naively >trying every IP is just not feasible anymore. In that case NSEC will >actually be helpfull in finding adresses that are assigned. > >-- >Casper Gielen <[email protected]> | LIS UNIX >PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 > >Universiteit van Tilburg | Postbus 90153, 5000 LE >Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl > > > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
