On Feb 28, 2017, at 8:36 PM, John Allen john@klam.ca wrote:
How often should the NSEC3 params (salt in particular) be changed.
For now, never. Choose a suitable random value around 8 octets long, and keep it fixed.
Transitions between different NSEC3PARAM values may not be seamless, and for many domains the bulk of the names are trivially found via PTR lookups for their IPv4 blocks.
You probably don't have any strong reasons to attempt to hide the names in your domain. I also don't encourage large iteration counts, 10 or less, perhaps 0 is best in most cases. This reduces the CPU load on your server in generating negative replies.
The ".com" zone an iteration count of zero and an empty salt:
com. NSEC3PARAM 1 0 0 -
This is a good starting point.