changing NSEC3 salt
Mark Andrews
marka at isc.org
Tue Feb 11 22:33:57 UTC 2014
In message <52FA7D8E.400 at networktest.com>, David Newman writes:
> > It's probably worth noticing what the big operators do, e.g.
> >
> > $ dig +noall +answer +nottl NSEC3PARAM com. edu. net. org.
> > com. IN NSEC3PARAM 1 0 0 -
> > edu. IN NSEC3PARAM 1 0 0 -
> > net. IN NSEC3PARAM 1 0 0 -
> > org. IN NSEC3PARAM 1 0 1 D399EAAB
> >
> > (AFAIK the salt used for "org" has never changed - and the same value
> > is used for 23 other TLDs.) A quick check revealed 216 TLDs [*] with
> > NSEC3PARAM records, distributed as follows:
> >
> > Extra Salt length (bytes) Total
> > iterations 0 2 3 4 5 6 8 10 16
> >
> > 0 7 - - - - - - - - 7
> > 1 - - - 125 - - 1 - - 126
> > 2 - - - 2 - - - - 1 3
> > 3 - 3 - 1 - - - - - 4
> > 5 1 - - 1 5 - 15 1 - 23
> > 8 - - - - - 2 - - - 2
> > 10 2 4 5 25 - - 1 - - 37
> > 12 - - - - - - 5 1 - 6
> > 13 - - 1 - - - - - - 1
> > 15 - - - 1 - - - - - 1
> > 17 - - - - - - 1 - - 1
> > 25 - - - - - - 2 - - 2
> > 100 - - - - - - 1 - - 1
> > 150 - - - 1 - - 1 - - 2
> >
> > Total 10 7 6 156 5 2 27 2 1 216
>
>
> That's interesting. It seems to contradict Lucas' advice to "always use
> '1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more
> aren't any more secure."
>
> dn
Like many things it depends apon what you are doing. Many TLD's
only want NSEC3 for the OPTOUT flag. They don't care about off
line enumeration. You only change the salt and use a non zero
interations if you care about offline enumeration.
Optout gives them 1 in x delegations with a NSEC3 record compared
to every delegation with a NSEC record. They already know that
most of the names in the zone are known. Somewhere around 1 in 1.x
delegations is where NSEC starts taking up less space.
Remember NSEC3 cannot make zone enumeration more secure than just
querying the servers themselves. The idea is to make offline
enumeration about as expensive as online.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list