> Currently I'm using bind 9.4.x, with NSEC records, but looking to move > to 9.6.1, in fact my slaves are already 9.6.1, but my master isn't > yet. I've recently read where .org has been signed, and using NSEC3. I > thought it might be a good idea to resign my zones using NSEC3, but > was unaware if both NSEC and NSEC3 were acceptable.
NSEC and NSEC3 are both just methods for proving that a name doesn't exist in a zone, so that if you get a negative answer you can be sure it isn't a forgery. The difference is, NSEC works by giving you the names that *are* in the zone, whereas NSEC3 uses a one-way-hash on them, concealing the actual names. The only disadvantage of NSEC is it makes it possible for someone to "walk" your zone and list off every record it contains. Some people have a problem with this. NSEC3 closes that door, at some computational cost. If you already have your zones signed with NSEC, and it isn't bothering you that someone could enumerate them, then it probably isn't worthwhile converting to NSEC3. There is no advantage at all to using both. If NSEC is there, your zone is enumerable. > Is it too soon to go NSEC3? No doubt a good portion of DNSSEC-aware > resolvers arent NSEC3 capable yet, is this something I need to take > into account? Maybe. I expect that to be a fairly short-term problem though, since major TLD's are using NSEC3. That's a pretty good reason for resolvers to come into compliance. (You might want to upgrade yours to 9.6.1.) > I use ISCs DLV, is NSEC3 an issue for that? It was, a while back. It's fixed now. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
