Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

Ray Bellis ray at
Sat May 7 12:12:40 UTC 2022

On 07/05/2022 02:18, Mukund Sivaraman wrote:

> If zone enumeration was not a real concern, NSEC3 would not
> exist. However, public DNS is a public tree and so we should have
> limited expectations for hiding names in it.

A significant motivation was to help defend database copyright in the 
zone content, rather than to explicitly hide particular entries.

With NSEC it was simply too easy for a third party to produce an 
infringing copy of the registry's entire database.


More information about the NANOG mailing list