IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low

Lutz Donnerhacke lutz at
Thu Apr 1 08:00:53 CEST 2021

On Wed, Mar 31, 2021 at 05:20:25PM -0400, Viktor Dukhovni wrote:
> If your DNS zone is configured to use NSEC3, please:
>     - Reduce the iteration count to 10 or less.
>     - Disable opt-out, you're very unlikely to need it.
>     - Either rotate the salt each time you sign, or skip
>       it entirely.  But a short fixed salt is harmless if
>       leaving it alone easier than changing it.
> Of course, if your zone is small enough (just the zone apex and a
> handful of already public or easy to guess names) or in any case has
> nothing to hide, even better is to use just plain NSEC.  You get smaller
> negative replies (less exposure to DoS) and more effective negative
> caching at resolvers.  So in many cases, it is even simpler to abandon
> NSEC3 entirely.  Please also consider the pros/cons of that option.

Thank you. Back to the basics.

More information about the dane-users mailing list