Zone Dumping via DNSSEC
harrisonm.comThis is neat. I didn't know about that shortcoming of DNSSEC, but knowing now, I'll definitely use NSEC3.
I've also naively taken it for granted that some of my machines that're only running ssh on IPv6 wouldn't be subject to brute force attacks, but now I can see how someone might discover DNS names that aren't shared publicly. Good to know!
NSEC3 is not much better! It's usually a simple iterated hash, of the sort Unices used in the 1990s before the invention of bcrypt, so they can cracked the same way a 1990s password file would be.
Yes, it's not much better, but it's better than nothing. It'll at least make people work a little.