On 5/8/22 19:48, Warren Kumari wrote:
If zone enumeration was not a real concern, NSEC3 would not exist.
Ackchyually, that's only partly true — a significant amount of the
driver (some would say hte large majority) behind NSEC3 was that it
supports "opt-out". This was important in very large, delegation-centric
zones (e.g like .com), where the vast majority of delegations were
initially not signed. This allows just signing the signed delegation and
the holes between them, and not all of the unsigned delegations.
But, with op-out, there're some security concerns around... so TL;DR
generally you should avoid-it.
http://www.e-ontap.com/dns/entpoison.html
https://theory.stanford.edu/people/jcm/papers/dnssec_ndss10.pdf