oooooops!
I just set the nsec3 params to 1 0 17 "16 digit random number"
I guess I will just have to back off.
As you point out a PTR lookup probably does everything that an attack would do any way. If that is the case is it pointless to have nsec3 set at all.
JohnA
On 2017-02-28 9:12 PM, Viktor Dukhovni wrote:
On Feb 28, 2017, at 8:36 PM, John Allen john@klam.ca wrote:
How often should the NSEC3 params (salt in particular) be changed.
For now, never. Choose a suitable random value around 8 octets long, and keep it fixed.
Transitions between different NSEC3PARAM values may not be seamless, and for many domains the bulk of the names are trivially found via PTR lookups for their IPv4 blocks.
You probably don't have any strong reasons to attempt to hide the names in your domain. I also don't encourage large iteration counts, 10 or less, perhaps 0 is best in most cases. This reduces the CPU load on your server in generating negative replies.
The ".com" zone an iteration count of zero and an empty salt:
com. NSEC3PARAM 1 0 0 -
This is a good starting point.