NSEC3 Params
John Allen
john at klam.ca
Wed Mar 1 04:50:37 CET 2017
oooooops!
I just set the nsec3 params to 1 0 17 "16 digit random number"
I guess I will just have to back off.
As you point out a PTR lookup probably does everything that an attack
would do any way. If that is the case is it pointless to have nsec3 set
at all.
JohnA
On 2017-02-28 9:12 PM, Viktor Dukhovni wrote:
>> On Feb 28, 2017, at 8:36 PM, John Allen <john at klam.ca> wrote:
>>
>> How often should the NSEC3 params (salt in particular) be changed.
> For now, never. Choose a suitable random value around 8 octets long,
> and keep it fixed.
>
> Transitions between different NSEC3PARAM values may not be seamless,
> and for many domains the bulk of the names are trivially found via PTR
> lookups for their IPv4 blocks.
>
> You probably don't have any strong reasons to attempt to hide the names
> in your domain. I also don't encourage large iteration counts, 10 or
> less, perhaps 0 is best in most cases. This reduces the CPU load on
> your server in generating negative replies.
>
> The ".com" zone an iteration count of zero and an empty salt:
>
> com. NSEC3PARAM 1 0 0 -
>
> This is a good starting point.
>
More information about the dane-users
mailing list