In message <[email protected]>, David Newman writes: > > It's probably worth noticing what the big operators do, e.g. > > > > $ dig +noall +answer +nottl NSEC3PARAM com. edu. net. org. > > com. IN NSEC3PARAM 1 0 0 - > > edu. IN NSEC3PARAM 1 0 0 - > > net. IN NSEC3PARAM 1 0 0 - > > org. IN NSEC3PARAM 1 0 1 D399EAAB > > > > (AFAIK the salt used for "org" has never changed - and the same value > > is used for 23 other TLDs.) A quick check revealed 216 TLDs [*] with > > NSEC3PARAM records, distributed as follows: > > > > Extra Salt length (bytes) Total > > iterations 0 2 3 4 5 6 8 10 16 > > > > 0 7 - - - - - - - - 7 > > 1 - - - 125 - - 1 - - 126 > > 2 - - - 2 - - - - 1 3 > > 3 - 3 - 1 - - - - - 4 > > 5 1 - - 1 5 - 15 1 - 23 > > 8 - - - - - 2 - - - 2 > > 10 2 4 5 25 - - 1 - - 37 > > 12 - - - - - - 5 1 - 6 > > 13 - - 1 - - - - - - 1 > > 15 - - - 1 - - - - - 1 > > 17 - - - - - - 1 - - 1 > > 25 - - - - - - 2 - - 2 > > 100 - - - - - - 1 - - 1 > > 150 - - - 1 - - 1 - - 2 > > > > Total 10 7 6 156 5 2 27 2 1 216 > > > That's interesting. It seems to contradict Lucas' advice to "always use > '1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more > aren't any more secure." > > dn
Like many things it depends apon what you are doing. Many TLD's only want NSEC3 for the OPTOUT flag. They don't care about off line enumeration. You only change the salt and use a non zero interations if you care about offline enumeration. Optout gives them 1 in x delegations with a NSEC3 record compared to every delegation with a NSEC record. They already know that most of the names in the zone are known. Somewhere around 1 in 1.x delegations is where NSEC starts taking up less space. Remember NSEC3 cannot make zone enumeration more secure than just querying the servers themselves. The idea is to make offline enumeration about as expensive as online. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
