IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Mar 31 23:20:25 CEST 2021


RFC 5155 defined NSEC3 iterations to scale up with the RSA/DSA key size
up to perhaps as high as 2500 iterations for 4096-bit keys.  In
retrospect such a generous iteration allowance proved
counter-productive.  It is neither particularly effective at keeping
your zone content "secret", nor sufficiently cheap to avoid negative
impact on authoritative and iterative resolver performance.

In that light, Wes Hardaker and I are working on an Internet-Draft
that strongly recommends setting the NSEC3 additional iteration count
to 0 (at least one initial SHA1 hash is always performed).

    https://tools.ietf.org/html/draft-hardaker-dnsop-nsec3-guidance-02

Today, the Knot resolver became the first one to cap NSEC3 iterations
for now at 150, but this will likely be reduced further:

	https://gitlab.nic.cz/knot/knot-resolver/-/tags/v5.3.1

and is expected to be done by more resolvers.

Since DANE SMTP downgrade-resistance relies critically on the security
of denial-of-existence, but iteration counts above the resolver cap make
denial-of-existence for the entire zone insecure, it is important that
all domains with an NSEC3 iteration count in excess of ~25 proactively
lower their iteration counts (ideally to 0, but otherwise ~10 or less).

A number of TLDs have already done this, and most of the rest will
follow soon.

    TLD                 before  after
    ---                 ------  -----
    la          	   150      1
    xn--q7ce6a  	   150      1
    blue        	   100     10
    green       	   100     10
    lat         	   100     10
    mx          	   100     10
    pink        	   100     10
    red         	   100     10
    schaeffler  	   100     10
    by          	   100      3
    creditunion 	   100      3
    ally        	   100      1
    autos       	   100      1
    boats       	   100      1
    homes       	   100      1
    motorcycles 	   100      1
    yachts      	   100      1

If your DNS zone is configured to use NSEC3, please:

    - Reduce the iteration count to 10 or less.

    - Disable opt-out, you're very unlikely to need it.

    - Either rotate the salt each time you sign, or skip
      it entirely.  But a short fixed salt is harmless if
      leaving it alone easier than changing it.

Of course, if your zone is small enough (just the zone apex and a
handful of already public or easy to guess names) or in any case has
nothing to hide, even better is to use just plain NSEC.  You get smaller
negative replies (less exposure to DoS) and more effective negative
caching at resolvers.  So in many cases, it is even simpler to abandon
NSEC3 entirely.  Please also consider the pros/cons of that option.

My impression is that this list has a small subscriber base, feel free
to pass this message along...

-- 
	Viktor.


More information about the dane-users mailing list