[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Jan 15 00:37:19 UTC 2018

> On Jan 14, 2018, at 6:46 PM, Mark Andrews <marka at isc.org> wrote:
> NSEC3 records for ENT only need to exist for parent domains of records that
> provably exist in a NSEC3 zone.  Insecure delegations do not, by default, provably
> exist when OPTOUT is in use.

Bottom line: works as intended.

When that's not the desired outcome, the zone administrator should
not use NSEC3 opt-out.  More broadly, when in any doubt, don't use

The most sensible NSEC3PARAM record for most domains is therefore:

	example.com. IN NSEC3PARAM 1 0 0 -

This lightly obfuscates the zone name chain by using zero additional
iterations, it avoids opt-out and uses an empty salt. a A fixed non-empty
salt would add no value.  If the zone employs whole-zone signing (as opposed
to incremental) and so salt randomization can be used each time the
zone is signed, one might then somewhat benefit from a random non-empty
salt generated at signing time.


More information about the dns-operations mailing list