I always liken arguments such as this to a leaky boat.   While one
certainly does more to eliminate the boat filling with water by plugging
the big holes that does NOT mean there is no value is caulking the small
ones.  Over time enough of the small ones might be enough to swamp the

-----Original Message-----
From: bind-users-bounces+jlightner=water....@lists.isc.org
[mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf
Of Phil Mayers
Sent: Tuesday, September 21, 2010 10:56 AM
To: bind-users@lists.isc.org
Subject: Re: NSEC3 salt lifetime (and some other DNSSEC params): sane

On 21/09/10 14:43, Niobos wrote:
> On 2010-09-21 15:32, Kalman Feher wrote:
>> On 21/09/10 8:43 AM, "Niobos"<nio...@dest-unreach.be>  wrote:
>> I personally find protection against zone enumeration to be a false
sense of
>> security. If it's public people will find it. Ask your self what it
is that
>> you want publically accessible yet you don't want others to be aware
> I'll reply with a quote from the BIND&  DNS book:
> It's the difference between letting random folks call your company's
> switchboard and ask for John Q. Cubicle's phone number [versus]
> them a copy of your corporate phone directory.

That is a poor analogy.

Do you have reverse DNS in .in-addr.arpa?

Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it 
doesn't take very long for us, and we've got a lot of large subnets.

Attackers can gain a lot of info from this; certainly not *all* forward 
lookups, but a lot of them. Pretending that stopping zone enumeration is

much of a security boost is just that IMHO - pretending.
bind-users mailing list
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
bind-users mailing list

Reply via email to