[Opendnssec-user] Reverse zones?
Gustafsson Daniel L
daniel.l.gustafsson at atea.se
Wed Mar 7 14:33:59 UTC 2012
I Agree with Casper,
as a user of OpenDNSSec and NSEC3 I would get a more 'complicated'
DNSSec-structure
where one part is NSEC3 and the other NSEC.
Though I have not signed any reverse-zones yet, only my .se (sweden) zones.
Just want to throw a question out to the list to get as many scenarios as
possible:
* What is the reason and benefit that you sign your IPv4 reverse zones?
Regards,
++DG
PS. My first mail to the list that I've been following along time. :)
DS
On 2012-03-07 11:30, "Casper Gielen" <c.gielen at uvt.nl> wrote:
>Op 06-03-12 15:04, Carlos Martinez-Cagnazzo schreef:
>> Hello,
>>
>> The one difference that comes to mind is that NSEC3 doesn't make a lot
>> sense in the reverse space, as anyone can walk the zones anyway, so we
>> (LACNIC) will be using NSEC for signed negative responses.
>
>What are the benefits of using NSEC over NSEC3?
>I realize that NSEC3 is more complicated in theory, but is there any
>real difference in practice? OpenDNSSEC does all the hard work for me.
>
>Differentiating between NSEC and NSEC3 would make my environment more
>complicated and I don't think that outweighs the simplicity of NSEC.
>
>
>While I understand the argument that an IPv4-reverse zone is trivially
>enumerated, that will change when IPv6 becomes more common. Naively
>trying every IP is just not feasible anymore. In that case NSEC will
>actually be helpfull in finding adresses that are assigned.
>
>--
>Casper Gielen <cgielen at uvt.nl> | LIS UNIX
>PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
>
>Universiteit van Tilburg | Postbus 90153, 5000 LE
>Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
>
>
>
More information about the Opendnssec-user
mailing list