NSEC3 salt lifetime (and some other DNSSEC params): sane value?

Kalman Feher kalman.feher at melbourneit.com.au
Tue Sep 21 14:46:34 UTC 2010

On 21/09/10 3:43 PM, "Niobos" <niobos at dest-unreach.be> wrote:

> On 2010-09-21 15:32, Kalman Feher wrote:
>> On 21/09/10 8:43 AM, "Niobos" <niobos at dest-unreach.be> wrote:
>> I personally find protection against zone enumeration to be a false sense of
>> security. If it's public people will find it. Ask your self what it is that
>> you want publically accessible yet you don't want others to be aware of.
> I'll reply with a quote from the BIND & DNS book:
> It¹s the difference between letting random folks call your company¹s
> switchboard and ask for John Q. Cubicle¹s phone number [versus] sending
> them a copy of your corporate phone directory.
It may well be analogous to that (though I disagree), but the quote does not
substantiate why knowing public information is bad. In the example above,
you've simply saved your switchboard and the caller some time. If you don't
want someone to know it, don't make it public (at the very least).

You'll have to accept that no matter what steps you take, your public
information will be available to those who wish to find it. Taking steps to
prevent that is likely to waste more of your time than it will of those

>> On a large scale, manual
>> intervention would make me very concerned with the likelihood of human based
>> outages. 
> I'm even concerned that this will be the problem on my private zone...
> thank you again for the very insightful info!
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Kal Feher 

More information about the bind-users mailing list