changing NSEC3 salt
David Newman
dnewman at networktest.com
Tue Feb 11 19:44:14 UTC 2014
On 2/11/14 7:38 AM, Chris Thompson wrote:
> On Feb 10 2014, Mark Andrews wrote:
>
>> In message <52F94EE2.7080505 at ksu.edu>, "Lawrence K. Chen, P.Eng." writes:
> [... snip ...]
>>> On 02/06/14 15:07, Timothe Litt wrote:
> [... snip ...]
>>> > Note also the RFC 5155 recommendation:
>>> >> The salt SHOULD be at least 64 bits long and unpredictable, so that
>>> >> an attacker cannot anticipate the value of the salt and compute the
>>> >> next set of dictionaries before the zone is published.
>>> > In case it wasn't obvious, I should have noted that the length
>>> would be
>>> > a config file entry.
> [...]
>>>
>>> Interesting....I guess I need to keep up more on these things.
>>>
>>> I haven't changed my NSEC3 salt since I initially set up DNSSEC here,
>>> and seemed to me that the document I was working off of back then said 4
>>> hex characters.
>>>
>>> Which probably made it extra hard for me to come up with a random
>>> number. So, its totally non-random...so all I did was take the hex for
>>> two (well-known) letters...for my salt. Since the salt is 'public',
>>> I'll say it. my salt is "KS", or "4b53".
>>>
>>> So now to think of how to add NSEC3 salt changing to my current
>>> automation scripts....
>>
>> And for most zones it won't make a bit of difference. Most are
>> mainly static and once you have sampled the zone enough times to
>> have (almost) all the NSEC3 records you just keep testing against
>> those NSEC3 records. Once you find a name in the zone you can just
>> test that it still exists. When the NSEC3 parameters change you
>> just run the know names through for a non-existing type and you
>> get confirmation of the name and a new set of NSEC3 records without
>> having to do as much sampling.
>>
>> It makes a bit of sense for zones that have names that a coming and
>> going all the time but even then you can reuse existing knowledge.
>
> It's probably worth noticing what the big operators do, e.g.
>
> $ dig +noall +answer +nottl NSEC3PARAM com. edu. net. org.
> com. IN NSEC3PARAM 1 0 0 -
> edu. IN NSEC3PARAM 1 0 0 -
> net. IN NSEC3PARAM 1 0 0 -
> org. IN NSEC3PARAM 1 0 1 D399EAAB
>
> (AFAIK the salt used for "org" has never changed - and the same value
> is used for 23 other TLDs.) A quick check revealed 216 TLDs [*] with
> NSEC3PARAM records, distributed as follows:
>
> Extra Salt length (bytes) Total
> iterations 0 2 3 4 5 6 8 10 16
>
> 0 7 - - - - - - - - 7
> 1 - - - 125 - - 1 - - 126
> 2 - - - 2 - - - - 1 3
> 3 - 3 - 1 - - - - - 4
> 5 1 - - 1 5 - 15 1 - 23
> 8 - - - - - 2 - - - 2
> 10 2 4 5 25 - - 1 - - 37
> 12 - - - - - - 5 1 - 6
> 13 - - 1 - - - - - - 1
> 15 - - - 1 - - - - - 1
> 17 - - - - - - 1 - - 1
> 25 - - - - - - 2 - - 2
> 100 - - - - - - 1 - - 1
> 150 - - - 1 - - 1 - - 2
>
> Total 10 7 6 156 5 2 27 2 1 216
That's interesting. It seems to contradict Lucas' advice to "always use
'1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more
aren't any more secure."
dn
>
>
> [*] A lot more than there used to be, due to the influx of new gTLDs.
>
More information about the bind-users
mailing list