Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

[Matt Corallo <nanog () as397444 net>]

On 5/6/22 5:58 PM, Amir Herzberg wrote:
> Hi NANOGers,
>
> Questions:
> - Do you find zone enumeration a real concern?

I have found that some people who are concerned about such things will have LetsEncrypt certs for 
many of the same hosts they were worried about - which of course makes the DNS zone enumeration 
issue moot - any CA-signed certs are already public these days.

Doesn't make the issue completely moot, but the reality is if you're exposing something to the 
internet, there's plenty of ways for it to leak out, so best not to make it public to begin with.

Tangentially related today is the news that all your "private channel" names are actually completely 
public on Discord[1], which was also true for Slack for many years, with their security folks 
claiming its totally no problem that anyone can see you have a channel named 
secret-jv-announcing-next-month-with-company-X.

Matt

[1] https://twitter.com/joshfraser/status/1524093111349166080