It appears that Jim Reid <j...@rfc1035.com> said: > > >> On 27 Mar 2024, at 19:37, Ondřej Surý <ond...@sury.org> wrote: >> >> Both salt and iterations have absolutely no value for NSEC3 security (see >> the RFC you just quoted), so just always use empty salt and zero iterations. >There’s no added value in fiddling with salt to fit into the SHA1 block. > >IMO, there’s no added value in using NSEC3.
My understanding is that if you want to prevent zone enumeration you are better off with RFC 4470 white lies. You'd only need NSEC3 if your zone security is so critical that you need to do offline signing. But the overlap between the zones that are that critical and the ones that try to keep their contents secret (realizing that passive DNS makes the whole thing pretty silly) is vanishingly small. R's, John _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
