I just sent the following to bind-users. We need to kill the myth that changing NSEC3 salt provides any real benefit.
"Actually it is useless to change the salt regularly. Changing the salt provides no real benefit against discovering the names in a zone which is the reason people were saying to change the salt. The attacker uses cached NSEC3 records. When it gets a cache miss it asks the servers for the zone, puts the answer in the cache and continues. When the salt changes it just maintains multiple nsec3 chains eventually discarding the old nsec3 chain eventually. I would wait until the new NSEC3 chain has as many cached records as the old NSEC3 chain. Changing the salt slows things up miniminally for a very short period of time after the change. Additionally once you have some names you ask for those names for a non-exisisting type to quickly pull in part of the new NSEC3 chain you know exists. The only reason to change the salt is if you have a collision of the hashed names. This will be a very very very rare event." Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
