+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: DNSSEC (/thread-4645.html)
DNSSEC - Blondak - 10-08-2008 09:50 PM
Hi,
are you interested in DNSSEC support for bind9?
more about DNSSEC avaible at
http://www.dnssec.cz/
http://en.wikipedia.org/wiki/DNSSEC
RE: DNSSEC - aseques - 10-08-2008 10:43 PM
At the moment, it doesn't seem to bring many benefits, and some important drawbacks.
Reading from the entry on the wikipedia:
Quote:DNSSEC introduces the ability for a hostile party to enumerate all the names in a zone by following the NSEC chain. NSEC RRs assert which names do not exist in a zone by linking from existing name to existing name along a canonical ordering of all the names within a zone. Thus, an attacker can query these NSEC RRs in sequence to obtain all the names in a zone. Although this is not an attack on the DNS itself, it could allow an attacker to map network hosts or other resources by enumerating the contents of a zone.
So unless bind9 or the server we are using has proven support for NSEC3, I would oppose to use it.
By the other hand, changing "allow recursion" to no by default in ispcp would disable any kown problem with DNS poisoning
cheers!