[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jan 15 00:37:19 UTC 2018
> On Jan 14, 2018, at 6:46 PM, Mark Andrews <marka at isc.org> wrote:
>
> NSEC3 records for ENT only need to exist for parent domains of records that
> provably exist in a NSEC3 zone. Insecure delegations do not, by default, provably
> exist when OPTOUT is in use.
Bottom line: works as intended.
When that's not the desired outcome, the zone administrator should
not use NSEC3 opt-out. More broadly, when in any doubt, don't use
opt-out.
The most sensible NSEC3PARAM record for most domains is therefore:
example.com. IN NSEC3PARAM 1 0 0 -
This lightly obfuscates the zone name chain by using zero additional
iterations, it avoids opt-out and uses an empty salt. a A fixed non-empty
salt would add no value. If the zone employs whole-zone signing (as opposed
to incremental) and so salt randomization can be used each time the
zone is signed, one might then somewhat benefit from a random non-empty
salt generated at signing time.
--
Viktor.
More information about the dns-operations
mailing list