IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low
Lutz Donnerhacke
lutz at donnerhacke.de
Thu Apr 1 08:00:53 CEST 2021
On Wed, Mar 31, 2021 at 05:20:25PM -0400, Viktor Dukhovni wrote:
> If your DNS zone is configured to use NSEC3, please:
>
> - Reduce the iteration count to 10 or less.
>
> - Disable opt-out, you're very unlikely to need it.
>
> - Either rotate the salt each time you sign, or skip
> it entirely. But a short fixed salt is harmless if
> leaving it alone easier than changing it.
>
> Of course, if your zone is small enough (just the zone apex and a
> handful of already public or easy to guess names) or in any case has
> nothing to hide, even better is to use just plain NSEC. You get smaller
> negative replies (less exposure to DoS) and more effective negative
> caching at resolvers. So in many cases, it is even simpler to abandon
> NSEC3 entirely. Please also consider the pros/cons of that option.
Thank you. Back to the basics.
More information about the dane-users
mailing list