NSEC3 salt lifetime (and some other DNSSEC params): sane value?

Kalman Feher kalman.feher at melbourneit.com.au
Wed Sep 22 06:29:09 UTC 2010

On 22/09/10 4:14 AM, "Doug Barton" <dougb at dougbarton.us> wrote:

> On 9/21/2010 7:46 AM, Kalman Feher wrote:
>> It may well be analogous to that (though I disagree), but the quote does not
>> substantiate why knowing public information is bad. In the example above,
>> you've simply saved your switchboard and the caller some time. If you don't
>> want someone to know it, don't make it public (at the very least).
>> You'll have to accept that no matter what steps you take, your public
>> information will be available to those who wish to find it. Taking steps to
>> prevent that is likely to waste more of your time than it will of those
>> looking.
> When this topic first came up 12+ years ago I (and others) said that
> DNSSEC would never see wide deployment unless the ability to walk the
> zone was eliminated. We were all poo-pooed at the time with lots of
> "security through obscurity, LOL" type arguments. Development of DNSSEC
> specs continued to ignore the need to eliminate zone-walking for almost
> a decade until finally a consortium of folks more influential than I put
> their foot down and hammered out the NSEC3 spec (abridging the history
> here for the sake of a good story).
> My point being, it really doesn't matter if you agree with the reasoning
> or not, whether you understand the use case(s) or not, or whether you
> ever deploy NSEC3 or not. The fact is that there are a non-trivial
> number of organizations who will not deploy DNSSEC without it, so
> attempting to convince people not to use it is pointless.
Not surprising that you've missed the point given the long thread, but I'll
reiterate here.

The concern was that a zone could be walked even _with_ NSEC3. Use whichever
NSEC floats your (leaky) boat. It isn't going to stop public information
from falling into an evil persons hands.

I'd recommend being a little more sensible and only making public that which
you want to be public. Then protecting all systems addressed within the zone
as if bad people knew about them, regardless of the "these are not the RRs
you're looking for" magical powers of NSEC3.

> Doug (... and it annoys the pig)

Kal Feher 

More information about the bind-users mailing list