NSEC3 salt lifetime (and some other DNSSEC params): sane value?

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Sep 22 09:29:26 UTC 2010


> >> I'll reply with a quote from the BIND&  DNS book:
> >> It’s the difference between letting random folks call your company’s
> >> switchboard and ask for John Q. Cubicle’s phone number [versus] sending
> >> them a copy of your corporate phone directory.

> > That is a poor analogy.

imho it's perfect.

> On 2010-09-21 16:56, Phil Mayers wrote:
> > Do you have reverse DNS in .in-addr.arpa?

On 22.09.10 11:24, Niobos wrote:
> Yes

> > Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it
> > doesn't take very long for us, and we've got a lot of large subnets.

> A few seconds

and how long will it take for /48 (2^80 = 1208925819614629174706176) in ipv6
environment? :)

> > Attackers can gain a lot of info from this;
> Correct

at present, yes. with ipv6, they will rely much more on DNS or other public
informations.
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.



More information about the bind-users mailing list