john at klam.ca
Wed Mar 1 04:50:37 CET 2017
I just set the nsec3 params to 1 0 17 "16 digit random number"
I guess I will just have to back off.
As you point out a PTR lookup probably does everything that an attack
would do any way. If that is the case is it pointless to have nsec3 set
On 2017-02-28 9:12 PM, Viktor Dukhovni wrote:
>> On Feb 28, 2017, at 8:36 PM, John Allen <john at klam.ca> wrote:
>> How often should the NSEC3 params (salt in particular) be changed.
> For now, never. Choose a suitable random value around 8 octets long,
> and keep it fixed.
> Transitions between different NSEC3PARAM values may not be seamless,
> and for many domains the bulk of the names are trivially found via PTR
> lookups for their IPv4 blocks.
> You probably don't have any strong reasons to attempt to hide the names
> in your domain. I also don't encourage large iteration counts, 10 or
> less, perhaps 0 is best in most cases. This reduces the CPU load on
> your server in generating negative replies.
> The ".com" zone an iteration count of zero and an empty salt:
> com. NSEC3PARAM 1 0 0 -
> This is a good starting point.
More information about the dane-users