RFC 5155 defined NSEC3 iterations to scale up with the RSA/DSA key size up to perhaps as high as 2500 iterations for 4096-bit keys. In retrospect such a generous iteration allowance proved counter-productive. It is neither particularly effective at keeping your zone content "secret", nor sufficiently cheap to avoid negative impact on authoritative and iterative resolver performance.
In that light, Wes Hardaker and I are working on an Internet-Draft that strongly recommends setting the NSEC3 additional iteration count to 0 (at least one initial SHA1 hash is always performed).
https://tools.ietf.org/html/draft-hardaker-dnsop-nsec3-guidance-02
Today, the Knot resolver became the first one to cap NSEC3 iterations for now at 150, but this will likely be reduced further:
https://gitlab.nic.cz/knot/knot-resolver/-/tags/v5.3.1
and is expected to be done by more resolvers.
Since DANE SMTP downgrade-resistance relies critically on the security of denial-of-existence, but iteration counts above the resolver cap make denial-of-existence for the entire zone insecure, it is important that all domains with an NSEC3 iteration count in excess of ~25 proactively lower their iteration counts (ideally to 0, but otherwise ~10 or less).
A number of TLDs have already done this, and most of the rest will follow soon.
TLD before after --- ------ ----- la 150 1 xn--q7ce6a 150 1 blue 100 10 green 100 10 lat 100 10 mx 100 10 pink 100 10 red 100 10 schaeffler 100 10 by 100 3 creditunion 100 3 ally 100 1 autos 100 1 boats 100 1 homes 100 1 motorcycles 100 1 yachts 100 1
If your DNS zone is configured to use NSEC3, please:
- Reduce the iteration count to 10 or less.
- Disable opt-out, you're very unlikely to need it.
- Either rotate the salt each time you sign, or skip it entirely. But a short fixed salt is harmless if leaving it alone easier than changing it.
Of course, if your zone is small enough (just the zone apex and a handful of already public or easy to guess names) or in any case has nothing to hide, even better is to use just plain NSEC. You get smaller negative replies (less exposure to DoS) and more effective negative caching at resolvers. So in many cases, it is even simpler to abandon NSEC3 entirely. Please also consider the pros/cons of that option.
My impression is that this list has a small subscriber base, feel free to pass this message along...