NSEC3 salt lifetime (and some other DNSSEC params): sane value?

Lightner, Jeff jlightner at water.com
Tue Sep 21 15:40:05 UTC 2010 

I always liken arguments such as this to a leaky boat.   While one
certainly does more to eliminate the boat filling with water by plugging
the big holes that does NOT mean there is no value is caulking the small
ones.  Over time enough of the small ones might be enough to swamp the
boat.

-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org
[mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf
Of Phil Mayers
Sent: Tuesday, September 21, 2010 10:56 AM
To: bind-users at lists.isc.org
Subject: Re: NSEC3 salt lifetime (and some other DNSSEC params): sane
value?

On 21/09/10 14:43, Niobos wrote:
> On 2010-09-21 15:32, Kalman Feher wrote:
>> On 21/09/10 8:43 AM, "Niobos"<niobos at dest-unreach.be>  wrote:
>> I personally find protection against zone enumeration to be a false
sense of
>> security. If it's public people will find it. Ask your self what it
is that
>> you want publically accessible yet you don't want others to be aware
of.
> I'll reply with a quote from the BIND&  DNS book:
> It's the difference between letting random folks call your company's
> switchboard and ask for John Q. Cubicle's phone number [versus]
sending
> them a copy of your corporate phone directory.

That is a poor analogy.

Do you have reverse DNS in .in-addr.arpa?

Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it 
doesn't take very long for us, and we've got a lot of large subnets.

Attackers can gain a lot of info from this; certainly not *all* forward 
lookups, but a lot of them. Pretending that stopping zone enumeration is

much of a security boost is just that IMHO - pretending.
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list