[Opendnssec-user] Reverse zones?

Casper Gielen c.gielen at uvt.nl
Wed Mar 7 10:30:04 UTC 2012


Op 06-03-12 15:04, Carlos Martinez-Cagnazzo schreef:
> Hello,
> 
> The one difference that comes to mind is that NSEC3 doesn't make a lot
> sense in the reverse space, as anyone can walk the zones anyway, so we
> (LACNIC) will be using NSEC for signed negative responses.

What are the benefits of using NSEC over NSEC3?
I realize that NSEC3 is more complicated in theory, but is there any
real difference in practice? OpenDNSSEC does all the hard work for me.

Differentiating between NSEC and NSEC3 would make my environment more
complicated and I don't think that outweighs the simplicity of NSEC.


While I understand the argument that an IPv4-reverse zone is trivially
enumerated, that will change when IPv6 becomes more common. Naively
trying every IP is just not feasible anymore. In that case NSEC will
actually be helpfull in finding adresses that are assigned.

-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120307/aa3f7375/attachment.bin>


More information about the Opendnssec-user mailing list