NSEC3 salt lifetime (and some other DNSSEC params): sane value?
Niobos
niobos at dest-unreach.be
Tue Sep 21 13:43:25 UTC 2010
On 2010-09-21 15:32, Kalman Feher wrote:
> On 21/09/10 8:43 AM, "Niobos" <niobos at dest-unreach.be> wrote:
> I personally find protection against zone enumeration to be a false sense of
> security. If it's public people will find it. Ask your self what it is that
> you want publically accessible yet you don't want others to be aware of.
I'll reply with a quote from the BIND & DNS book:
It’s the difference between letting random folks call your company’s
switchboard and ask for John Q. Cubicle’s phone number [versus] sending
them a copy of your corporate phone directory.
> On a large scale, manual
> intervention would make me very concerned with the likelihood of human based
> outages.
I'm even concerned that this will be the problem on my private zone...
thank you again for the very insightful info!
More information about the bind-users
mailing list