1 Apr
2021
1 Apr
'21
8 a.m.
On Wed, Mar 31, 2021 at 05:20:25PM -0400, Viktor Dukhovni wrote:
If your DNS zone is configured to use NSEC3, please:
- Reduce the iteration count to 10 or less. - Disable opt-out, you're very unlikely to need it. - Either rotate the salt each time you sign, or skip it entirely. But a short fixed salt is harmless if leaving it alone easier than changing it.Of course, if your zone is small enough (just the zone apex and a handful of already public or easy to guess names) or in any case has nothing to hide, even better is to use just plain NSEC. You get smaller negative replies (less exposure to DoS) and more effective negative caching at resolvers. So in many cases, it is even simpler to abandon NSEC3 entirely. Please also consider the pros/cons of that option.
Thank you. Back to the basics.