On Wed, Mar 31, 2021 at 05:20:25PM -0400, Viktor Dukhovni wrote: > If your DNS zone is configured to use NSEC3, please: > > - Reduce the iteration count to 10 or less. > > - Disable opt-out, you're very unlikely to need it. > > - Either rotate the salt each time you sign, or skip > it entirely. But a short fixed salt is harmless if > leaving it alone easier than changing it. > > Of course, if your zone is small enough (just the zone apex and a > handful of already public or easy to guess names) or in any case has > nothing to hide, even better is to use just plain NSEC. You get smaller > negative replies (less exposure to DoS) and more effective negative > caching at resolvers. So in many cases, it is even simpler to abandon > NSEC3 entirely. Please also consider the pros/cons of that option.
Thank you. Back to the basics.
