Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-22 Thread Kalman Feher
On 22/09/10 4:14 AM, Doug Barton do...@dougbarton.us wrote: On 9/21/2010 7:46 AM, Kalman Feher wrote: It may well be analogous to that (though I disagree), but the quote does not substantiate why knowing public information is bad. In the example above, you've simply saved your switchboard

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-22 Thread Niobos
On 2010-09-21 16:46, Kalman Feher wrote: If you don't want someone to know it, don't make it public (at the very least). I agree totally! You'll have to accept that no matter what steps you take, your public information will be available to those who wish to find it. I agree. But I'd argue

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-22 Thread Niobos
On 2010-09-21 16:56, Phil Mayers wrote: On 21/09/10 14:43, Niobos wrote: On 2010-09-21 15:32, Kalman Feher wrote: On 21/09/10 8:43 AM, Niobosnio...@dest-unreach.be wrote: I personally find protection against zone enumeration to be a false sense of security. If it's public people will find

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-22 Thread Matus UHLAR - fantomas
I'll reply with a quote from the BIND DNS book: It’s the difference between letting random folks call your company’s switchboard and ask for John Q. Cubicle’s phone number [versus] sending them a copy of your corporate phone directory. That is a poor analogy. imho it's perfect. On

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-22 Thread Kalman Feher
On 22/09/10 11:29 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: I'll reply with a quote from the BIND DNS book: It¹s the difference between letting random folks call your company¹s switchboard and ask for John Q. Cubicle¹s phone number [versus] sending them a copy of your

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Niobos
Thank you for the excellent advice! On 2010-09-20 18:09, Kevin Oberman wrote: I recommend anyone attempting to secure their DNS read the NIST Computer Security Resource Center document SP800-81 Rev.1, Secure Domain Naming System (DNS) Guide at:

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Kalman Feher
On 21/09/10 8:43 AM, Niobos nio...@dest-unreach.be wrote: Thank you for the excellent advice! On 2010-09-20 18:09, Kevin Oberman wrote: I recommend anyone attempting to secure their DNS read the NIST Computer Security Resource Center document SP800-81 Rev.1, Secure Domain Naming System

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Niobos
On 2010-09-21 15:32, Kalman Feher wrote: On 21/09/10 8:43 AM, Niobos nio...@dest-unreach.be wrote: I personally find protection against zone enumeration to be a false sense of security. If it's public people will find it. Ask your self what it is that you want publically accessible yet you

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Phil Mayers
On 21/09/10 14:43, Niobos wrote: On 2010-09-21 15:32, Kalman Feher wrote: On 21/09/10 8:43 AM, Niobosnio...@dest-unreach.be wrote: I personally find protection against zone enumeration to be a false sense of security. If it's public people will find it. Ask your self what it is that you want

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Doug Barton
On 9/21/2010 7:46 AM, Kalman Feher wrote: It may well be analogous to that (though I disagree), but the quote does not substantiate why knowing public information is bad. In the example above, you've simply saved your switchboard and the caller some time. If you don't want someone to know it,

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-21 Thread Warren Kumari
On Sep 21, 2010, at 10:14 PM, Doug Barton wrote: On 9/21/2010 7:46 AM, Kalman Feher wrote: It may well be analogous to that (though I disagree), but the quote does not substantiate why knowing public information is bad. In the example above, you've simply saved your switchboard and the

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-20 Thread Kevin Oberman
Date: Mon, 20 Sep 2010 11:03:31 +0200 From: Kalman Feher kalman.fe...@melbourneit.com.au Sender: bind-users-bounces+oberman=es@lists.isc.org Apologies in advance for the longer than intended reply. I've spent a lot of time reviewing documents regarding timing values and they vary

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

2010-09-20 Thread Kalman Feher
On 20/09/10 6:09 PM, Kevin Oberman ober...@es.net wrote: Date: Mon, 20 Sep 2010 11:03:31 +0200 From: Kalman Feher kalman.fe...@melbourneit.com.au Sender: bind-users-bounces+oberman=es@lists.isc.org Apologies in advance for the longer than intended reply. I've spent a lot of time