changing NSEC3 salt

Mark Andrews marka at isc.org
Tue Feb 11 22:33:57 UTC 2014 

In message <52FA7D8E.400 at networktest.com>, David Newman writes:
> > It's probably worth noticing what the big operators do, e.g.
> > 
> > $ dig +noall +answer +nottl NSEC3PARAM com. edu. net. org.
> > com.                    IN      NSEC3PARAM 1 0 0 -
> > edu.                    IN      NSEC3PARAM 1 0 0 -
> > net.                    IN      NSEC3PARAM 1 0 0 -
> > org.                    IN      NSEC3PARAM 1 0 1 D399EAAB
> > 
> > (AFAIK the salt used for "org" has never changed - and the same value
> > is used for 23 other TLDs.) A quick check revealed 216 TLDs [*] with
> > NSEC3PARAM records, distributed as follows:
> > 
> >   Extra                 Salt length (bytes)               Total
> > iterations    0    2    3    4    5    6    8   10   16
> > 
> >     0         7    -    -    -    -    -    -    -    -       7
> >     1         -    -    -  125    -    -    1    -    -     126
> >     2         -    -    -    2    -    -    -    -    1       3
> >     3         -    3    -    1    -    -    -    -    -       4
> >     5         1    -    -    1    5    -   15    1    -      23
> >     8         -    -    -    -    -    2    -    -    -       2
> >    10         2    4    5   25    -    -    1    -    -      37
> >    12         -    -    -    -    -    -    5    1    -       6
> >    13         -    -    1    -    -    -    -    -    -       1
> >    15         -    -    -    1    -    -    -    -    -       1
> >    17         -    -    -    -    -    -    1    -    -       1
> >    25         -    -    -    -    -    -    2    -    -       2
> >   100         -    -    -    -    -    -    1    -    -       1
> >   150         -    -    -    1    -    -    1    -    -       2
> > 
> >  Total       10    7    6  156    5    2   27    2    1     216
> 
> 
> That's interesting. It seems to contradict Lucas' advice to "always use
> '1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more
> aren't any more secure."
> 
> dn

Like many things it depends apon what you are doing.  Many TLD's
only want NSEC3 for the OPTOUT flag.  They don't care about off
line enumeration.  You only change the salt and use a non zero
interations if you care about offline enumeration.

Optout gives them 1 in x delegations with a NSEC3 record compared
to every delegation with a NSEC record.  They already know that
most of the names in the zone are known.  Somewhere around 1 in 1.x
delegations is where NSEC starts taking up less space.

Remember NSEC3 cannot make zone enumeration more secure than just
querying the servers themselves.  The idea is to make offline
enumeration about as expensive as online.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list