Mastodawn

The .gov domain name with the highest NSEC3 iteration count, making DNSSEC validators perform extra SHA-1 hashes for little benefit, is nepa.gov, which seems to be a redirect site for the National Environmental Policy Act.

Show thread

otto@openbsd Mar 18

@mnordhoff Some validators will refuse to validate these NSEC3 records and they will go Insecure for results containing them. See https://www.rfc-editor.org/rfc/rfc9276.html#name-recommendation-for-validati

RFC 9276: Guidance for NSEC3 Parameter Settings

NSEC3 is a DNSSEC mechanism providing proof of nonexistence by asserting that there are no names that exist between two domain names within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly disclosing the bounding domain name pairs. This document provides guidance on setting NSEC3 parameters based on recent operational deployment experience. This document updates RFC 5155 with guidance about selecting NSEC3 iteration and salt parameters.

Show thread

Matt Nordhoff Mar 18

@otto Yeah, true! I'm not asking anyone to do the research, but I wonder what percentage of validation is done by validators with lower limits by now.

Recursor changed the default limit from 150 to 50 all the way back in 5.0.0, but Unbound is still on 150, for example.

PowerDNS Recursor New Style (YAML) Settings — PowerDNS Recursor documentation

Show thread

otto@openbsd Mar 19

@mnordhoff Bind moved to 50 in version 9.19: https://kb.isc.org/v1/docs/dnssec-signed-zones-best-practice-guidance-for-nsec3-iterations#changes-introduced-to-bind-from-919

Knot resolver also uses 50 since 6.0.6: https://www.knot-resolver.cz/documentation/master/NEWS.html#knot-resolver-6-0-6-2024-02-13

DNSSEC signed zones - best practice guidance relating to NSEC3 signing and validation

DNSSEC-signed zones offer protection against response spoofing to both DNSSEC-validating resolvers and authoritative DNS zone operators who choose to sign their published zones.