1

Is there any recommendation for salt length in the NSEC3 records ? Does longer salt means better security, and do longer salt affect performance of (authoritative) servers ?

DNSSEC operational practices don't mention salt length.

While looking at TLDs with DNSSEC list, I see that .COM uses zero-length salt (no salt), while some TLDs use as long as 16-byte salts. Is there a reason ?

Community
  • 1
Sandman4
  • 4,045
  • 2
  • 20
  • 27

1 Answers1

2

The salt is intended to deter pre-computed dictionary attacks. However, as mentioned in this security review, the salt does not really provide any additional security because the salt is publicly available through the NSEC3PARAMS record. Since the fully-qualified name is used in NSEC3 hashes, there is not even really a risk of a globally useful rainbow table-type attack, so you're free to choose your hash arbitrarily.

Should an attacker make an unlikely NSEC3 hash collision, the salt would have to be changed to eliminate the collision.

EDIT: For what it's worth, RFC 5155 does make a recommendation:

The salt SHOULD be at least 64 bits long and unpredictable, so that
an attacker cannot anticipate the value of the salt and compute the
next set of dictionaries before the zone is published.

Cakemox
  • 24,141
  • 6
  • 41
  • 67
  • Thanks. I wonder how various TLD operators decided to use low-length salts (sure they had good reasons), and how often should I change salt. – Sandman4 May 13 '12 at 09:11
  • Many of them have the OPTOUT bit set and so don't say anything about the non-existence of insecure delegations see [this question](http://serverfault.com/questions/388028/dnssec-nsec3-opt-out) for an explanation. – Richard Salts Aug 13 '13 at 05:31