Hello Peter, On 26 Aug 2016, at 14:49, Keresztes Péter-Zoltán wrote:
I was wondering when securing a zone if there is any security difference between using nsec3 and nsec3-narrow beside the fact that nsec3 needs the zone to be rectified after each change while nsec3-narrow does not need that.
With NSEC3 (non-narrow), somebody can easily get all your NSEC3 records (of which you have roughly as many as there are names in your zone), and then do an offline brute force to find the actual names in your zones - more info at https://dnscurve.org/nsec3walker.html
Narrow prevents this by generating a very small (narrow) NSEC3 for every negative response, at a higher CPU cost, and terrible cache hit rates if somebody starts sending you random queries.
If you care about enumeration, narrow might be of interest (but keep in mind there are many ways for somebody to find out the contents of your zones).
Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
