[dns-operations] Evaluation of NSEC3-encloser attack

Jim Reid jim at rfc1035.com
Wed Mar 27 21:29:01 UTC 2024



> On 27 Mar 2024, at 19:37, Ondřej Surý <ondrej at sury.org> wrote:
> 
> Both salt and iterations have absolutely no value for NSEC3 security (see the RFC you just quoted), so just always use empty salt and zero iterations. There’s no added value in fiddling with salt to fit into the SHA1 block.

IMO, there’s no added value in using NSEC3.




More information about the dns-operations mailing list