Hello Mark, Mark Andrews <ma...@isc.org> writes:
> Actually it is useless to change the salt regularly. Changing the > salt provides no real benefit against discovering the names in a > zone which is the reason people were saying to change the salt. > > The attacker uses cached NSEC3 records. When it gets a cache miss > it asks the servers for the zone, puts the answer in the cache and > continues. When the salt changes it just maintains multiple nsec3 > chains eventually discarding the old nsec3 chain eventually. I > would wait until the new NSEC3 chain has as many cached records as > the old NSEC3 chain. Changing the salt slows things up miniminally > for a very short period of time after the change. Additionally > once you have some names you ask for those names for a non-exisisting > type to quickly pull in part of the new NSEC3 chain you know exists. > > The only reason to change the salt is if you have a collision of > the hashed names. This will be a very very very rare event. > this is new for me (must somehow missed it if this was previously discussed). I do not want to give useless or misguiding advice. I do not understand how the NSEC3 hash can be defeated by an attacker. Could you give a link to additional information or could you explain the issue with NSEC3 salt in other words? Best regards Carsten -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users