[SLL] who is randomizing DNS source ports? deploying DNSSEC?
Jeremy C. Reed
reed at reedmedia.net
Mon Jul 28 06:30:42 PDT 2008
On Fri, 25 Jul 2008, Mark Foster wrote:
> 3. unavoidable data leakage (NXT records)
NSEC3 record in RFC 5155 "DNS Security (DNSSEC) Hashed Authenticated
Denial of Existence"
(NXT is obsolete. NSEC is the replacement.)
NSEC3 is not a replacement for NSEC but is an alternative.
It is in upcoming BIND 9.6. NSEC3 can't and shouldn't be used unless it is
really needed due to computational expense (creating hashes) on server
side and client side. I have been told by the implementor that "DNSSEC
won't fly if everyone does NSEC3". So if anything is private then don't
put it in the public zone and don't worry if is walked.
More information about the linux-list
mailing list