NSEC3 salt lifetime (and some other DNSSEC params): sane value?
p.mayers at imperial.ac.uk
Tue Sep 21 14:56:12 UTC 2010
On 21/09/10 14:43, Niobos wrote:
> On 2010-09-21 15:32, Kalman Feher wrote:
>> On 21/09/10 8:43 AM, "Niobos"<niobos at dest-unreach.be> wrote:
>> I personally find protection against zone enumeration to be a false sense of
>> security. If it's public people will find it. Ask your self what it is that
>> you want publically accessible yet you don't want others to be aware of.
> I'll reply with a quote from the BIND& DNS book:
> It’s the difference between letting random folks call your company’s
> switchboard and ask for John Q. Cubicle’s phone number [versus] sending
> them a copy of your corporate phone directory.
That is a poor analogy.
Do you have reverse DNS in .in-addr.arpa?
Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it
doesn't take very long for us, and we've got a lot of large subnets.
Attackers can gain a lot of info from this; certainly not *all* forward
lookups, but a lot of them. Pretending that stopping zone enumeration is
much of a security boost is just that IMHO - pretending.
More information about the bind-users