NSEC3 Params

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Mar 1 03:12:51 CET 2017

> On Feb 28, 2017, at 8:36 PM, John Allen <john at klam.ca> wrote:
> How often should the NSEC3 params (salt in particular) be changed.

For now, never.  Choose a suitable random value around 8 octets long,
and keep it fixed.

Transitions between different NSEC3PARAM values may not be seamless,
and for many domains the bulk of the names are trivially found via PTR
lookups for their IPv4 blocks.

You probably don't have any strong reasons to attempt to hide the names
in your domain.  I also don't encourage large iteration counts, 10 or
less, perhaps 0 is best in most cases.  This reduces the CPU load on
your server in generating negative replies.

The ".com" zone an iteration count of zero and an empty salt:

	com. NSEC3PARAM 1 0 0 -

This is a good starting point.


More information about the dane-users mailing list