NSEC3 salt lifetime (and some other DNSSEC params): sane value?

Phil Mayers p.mayers at imperial.ac.uk
Tue Sep 21 14:56:12 UTC 2010

On 21/09/10 14:43, Niobos wrote:
> On 2010-09-21 15:32, Kalman Feher wrote:
>> On 21/09/10 8:43 AM, "Niobos"<niobos at dest-unreach.be>  wrote:
>> I personally find protection against zone enumeration to be a false sense of
>> security. If it's public people will find it. Ask your self what it is that
>> you want publically accessible yet you don't want others to be aware of.
> I'll reply with a quote from the BIND&  DNS book:
> It’s the difference between letting random folks call your company’s
> switchboard and ask for John Q. Cubicle’s phone number [versus] sending
> them a copy of your corporate phone directory.

That is a poor analogy.

Do you have reverse DNS in .in-addr.arpa?

Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it 
doesn't take very long for us, and we've got a lot of large subnets.

Attackers can gain a lot of info from this; certainly not *all* forward 
lookups, but a lot of them. Pretending that stopping zone enumeration is 
much of a security boost is just that IMHO - pretending.

More information about the bind-users mailing list