We use cookies to ensure you get the best experience on our website
Startseite Erkunden Hilfe
Registrieren Anmelden
0ct0pu5
/
desec-stack
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

feat(api): for new domains, set "NSEC3PARAM 1 0 0 -"

We don't need a salt because the apex name is part of the hash, serving
as salt (global rainbow tables not possible).

The iteration count means "extra iterations", i.e. 0 means hashing once.
Values above 10 are no longer recommended. The factor of 10 is not
significant for an attacker, but incurs unnecessary load on the primary
and resolvers. Still, the single iteration keeps away casual attacks.

Reference: https://datatracker.ietf.org/doc/html/draft-hardaker-dnsop-nsec3-guidance
Peter Thomassen vor 4 Jahren
Ursprung
5e14413be2
Commit
e86b920b33
1 geänderte Dateien mit 1 neuen und 3 gelöschten Zeilen
Gesamtansicht Diff-Statistik anzeigen
  1. 1 3
      api/desecapi/pdns_change_tracker.py

+ 1 - 3
api/desecapi/pdns_change_tracker.py
Datei anzeigen 

@@ -1,4 +1,3 @@
 
-import secrets
 
 import socket
 
 import socket
 
 
 
 from django.conf import settings
 
 from django.conf import settings
 
@@ -84,14 +83,13 @@ class PDNSChangeTracker:
 
             return True
 
             return True
 
 
 
         def pdns_do(self):
 
         def pdns_do(self):
 
-            salt = secrets.token_hex(nbytes=8)
 
             _pdns_post(
 
             _pdns_post(
 
                 NSLORD, '/zones?rrsets=false',
 
                 NSLORD, '/zones?rrsets=false',
 
                 {
 
                 {
 
                     'name': self.domain_name_normalized,
 
                     'name': self.domain_name_normalized,
 
                     'kind': 'MASTER',
 
                     'kind': 'MASTER',
 
                     'dnssec': True,
 
                     'dnssec': True,
 
-                    'nsec3param': '1 0 127 %s' % salt,
 
+                    'nsec3param': '1 0 0 -',
 
                     'nameservers': settings.DEFAULT_NS,
 
                     'nameservers': settings.DEFAULT_NS,
 
                     'rrsets': [{
 
                     'rrsets': [{
 
                         'name': self.domain_name_normalized,
 
                         'name': self.domain_name_normalized,

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5