On Thu, Jul 21, 2016 at 02:00:36PM +0300, Cristian Seres wrote:
> no, I mean the CloudFlare's solution that is rather different. According to
> the link I sent this approach has following benefits:
> - minimal information revealed, missing name \000 sent as the next name in
> NSEC reply and using NODATA, also no need for additional NSEC for the
> wildcard
> - prevents zone walking unlike NSEC3 which only makes it harder
> - the size of a negative reply is only a fraction of traditional NSEC reply
Well, patches are welcome! We can coordinate on #powerdns our IRC channel if
you want.
> I know about the NSEC3 narrow mode in PowerDNS. I suppose that's the best
> available option to decrease information leak at the moment. RFC7129
> appendix B calls them "NSEC3 White Lies" which is more commonly used term
> than narrow mode, I think.
We used it way before RFC7129, which may explain.
Bert
_______________________________________________
Pdns-dev mailing list
Pdns-dev@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-dev
