NSEC3 salt lifetime (and some other DNSSEC params): sane value?
niobos at dest-unreach.be
Wed Sep 22 08:30:06 UTC 2010
On 2010-09-21 16:46, Kalman Feher wrote:
> If you don't
> want someone to know it, don't make it public (at the very least).
I agree totally!
> You'll have to accept that no matter what steps you take, your public
> information will be available to those who wish to find it.
But I'd argue that there are different "grades" of public information.
My home phone number is public. You can look it up in the (paper or
electronic) phonebook. That doesn't mean I'll put it in the footer of
every mail/facebook/twitter I send out. Hell, I even use an alias to
post to newsgroups instead of my real name. And sure you can figure out
who I am, that info is publicly available somewhere (despite my
efforts), but I'm not going to hand it to you on a plate.
In that sense, I still believe that using NSEC3 over NSEC adds another
barrier to those who want to walk your zone. And while it's possible
(you could even argue "easy") to overcome, it's yet another speed bump.
The whole point of NSEC3 was to make zone walking as difficult as
brute-forcing the server, not to make it impossible.
> Taking steps to
> prevent that is likely to waste more of your time than it will of those
Unless you're calculating the NSEC3 hashes by hand, it took me under 1
minute to add an NSEC3PARAM RRset to my zone. And I'm fairly confident
that it will take at least 1 minute longer to walk an NSEC3 zone than an
More information about the bind-users