21.07.2016, 13:02, bert hubert kirjoitti:
Hi Cristian,
You mean NSEC3 narrow from
https://doc.powerdns.com/md/authoritative/dnssec/#online-signing ?
Hi Bert,
no, I mean the CloudFlare's solution that is rather different. According
to the link I sent this approach has following benefits:
- minimal information revealed, missing name \000 sent as the next name
in NSEC reply and using NODATA, also no need for additional NSEC for the
wildcard
- prevents zone walking unlike NSEC3 which only makes it harder
- the size of a negative reply is only a fraction of traditional NSEC reply
I know about the NSEC3 narrow mode in PowerDNS. I suppose that's the
best available option to decrease information leak at the moment.
RFC7129 appendix B calls them "NSEC3 White Lies" which is more commonly
used term than narrow mode, I think.
With best regards,
--
Cristian Seres
_______________________________________________
Pdns-dev mailing list
Pdns-dev@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-dev
