On 5/8/22 19:48, Warren Kumari wrote:
If zone enumeration was not a real concern, NSEC3 would not exist.Ackchyually, that's only partly true — a significant amount of the driver (some would say hte large majority) behind NSEC3 was that it supports "opt-out". This was important in very large, delegation-centric zones (e.g like .com), where the vast majority of delegations were initially not signed. This allows just signing the signed delegation and the holes between them, and not all of the unsigned delegations.
But, with op-out, there're some security concerns around... so TL;DR generally you should avoid-it.
http://www.e-ontap.com/dns/entpoison.html https://theory.stanford.edu/people/jcm/papers/dnssec_ndss10.pdf
