I always liken arguments such as this to a leaky boat. While one certainly does more to eliminate the boat filling with water by plugging the big holes that does NOT mean there is no value is caulking the small ones. Over time enough of the small ones might be enough to swamp the boat.
-----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of Phil Mayers Sent: Tuesday, September 21, 2010 10:56 AM To: bind-users@lists.isc.org Subject: Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value? On 21/09/10 14:43, Niobos wrote: > On 2010-09-21 15:32, Kalman Feher wrote: >> On 21/09/10 8:43 AM, "Niobos"<nio...@dest-unreach.be> wrote: >> I personally find protection against zone enumeration to be a false sense of >> security. If it's public people will find it. Ask your self what it is that >> you want publically accessible yet you don't want others to be aware of. > I'll reply with a quote from the BIND& DNS book: > It's the difference between letting random folks call your company's > switchboard and ask for John Q. Cubicle's phone number [versus] sending > them a copy of your corporate phone directory. That is a poor analogy. Do you have reverse DNS in .in-addr.arpa? Have you timed how long an "nmap -sL yoursubnet/mask" takes? Because it doesn't take very long for us, and we've got a lot of large subnets. Attackers can gain a lot of info from this; certainly not *all* forward lookups, but a lot of them. Pretending that stopping zone enumeration is much of a security boost is just that IMHO - pretending. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users