NSEC3 salt lifetime (and some other DNSSEC params): sane value?
niobos at dest-unreach.be
Wed Sep 22 09:24:10 UTC 2010
On 2010-09-21 16:56, Phil Mayers wrote:
> On 21/09/10 14:43, Niobos wrote:
>> On 2010-09-21 15:32, Kalman Feher wrote:
>>> On 21/09/10 8:43 AM, "Niobos"<niobos at dest-unreach.be> wrote:
>>> I personally find protection against zone enumeration to be a false
>>> sense of
>>> security. If it's public people will find it. Ask your self what it
>>> is that
>>> you want publically accessible yet you don't want others to be aware of.
>> I'll reply with a quote from the BIND& DNS book:
>> It’s the difference between letting random folks call your company’s
>> switchboard and ask for John Q. Cubicle’s phone number [versus] sending
>> them a copy of your corporate phone directory.
> That is a poor analogy.
> Do you have reverse DNS in .in-addr.arpa?
> Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it
> doesn't take very long for us, and we've got a lot of large subnets.
A few seconds
> Attackers can gain a lot of info from this;
> certainly not *all* forward
> lookups, but a lot of them.
My zone consists of mostly CNAMEs that map vhosts to physical hosts; you
won't find these with .in-addr.arpa.
More information about the bind-users