NSEC3 Params

John Allen john at klam.ca
Wed Mar 1 04:50:37 CET 2017


I just set the nsec3 params to 1  0 17 "16 digit random number"

I guess I will just have to back off.

As you point out a PTR lookup probably does everything that an attack 
would do any way. If that is the case is it pointless to have nsec3 set 
at all.


On 2017-02-28 9:12 PM, Viktor Dukhovni wrote:
>> On Feb 28, 2017, at 8:36 PM, John Allen <john at klam.ca> wrote:
>> How often should the NSEC3 params (salt in particular) be changed.
> For now, never.  Choose a suitable random value around 8 octets long,
> and keep it fixed.
> Transitions between different NSEC3PARAM values may not be seamless,
> and for many domains the bulk of the names are trivially found via PTR
> lookups for their IPv4 blocks.
> You probably don't have any strong reasons to attempt to hide the names
> in your domain.  I also don't encourage large iteration counts, 10 or
> less, perhaps 0 is best in most cases.  This reduces the CPU load on
> your server in generating negative replies.
> The ".com" zone an iteration count of zero and an empty salt:
> 	com. NSEC3PARAM 1 0 0 -
> This is a good starting point.

More information about the dane-users mailing list