Question re prevention of enumeration with DNSSEC (NSEC3, etc.)
Ray Bellis
ray at bellis.me.uk
Sat May 7 12:12:40 UTC 2022
On 07/05/2022 02:18, Mukund Sivaraman wrote:
> If zone enumeration was not a real concern, NSEC3 would not
> exist. However, public DNS is a public tree and so we should have
> limited expectations for hiding names in it.
A significant motivation was to help defend database copyright in the
zone content, rather than to explicitly hide particular entries.
With NSEC it was simply too easy for a third party to produce an
infringing copy of the registry's entire database.
Ray
More information about the NANOG
mailing list