Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

Mukund Sivaraman muks at
Sat May 7 01:18:07 UTC 2022

On Fri, May 06, 2022 at 08:58:51PM -0400, Amir Herzberg wrote:
> Hi NANOGers,
> I have a small question re DNSSEC `proof of non-existence' records: NSEC,
> NSEC3 and the (dead?) NSEC5 proposal.
> <begin background (probably known to all/most):> NSEC3 was motivated as a
> method to prevent Zone enumeration, then Berenstein showed its defense is
> pretty weak. RFC7129 (White Lies) prevents this enumeration attack but
> requires online signing with the zone's key, which introduces another
> vulnerability and, of course, overhead of online-signing. NSEC5 was
> proposed to prevent enumeration without online signing, so arguably more
> secure than RFC7129, but has comparable online overhead and appears `dead';
> the I-D expired (last update July'17).
> Note that NSEC3 also supports `opt-out', which reduces overhead for
> adoptions in domains with many non-adopting ASes, and I believe is not
> supported by NSEC.
> <end background>
> Questions:
> - Do you find zone enumeration a real concern?

The answer to this would vary depending on who is asked, so it's not
clear how you would use such answers. It may be a concern to some, may
not be a concern to others.

If zone enumeration was not a real concern, NSEC3 would not
exist. However, public DNS is a public tree and so we should have
limited expectations for hiding names in it.

> - Do you think the white-lies countermeasure is sufficient and fine, or do
> you have security and/or performance concern (or just think it's
> pointless)?
> - and the final question... would you think an alternative to NSEC5 which
> will be more efficient and simpler would be of potential practical
> importance, or just a nice academic `exercise'?
> I'm really unsure about these questions - esp. the last one - and your
> feedback may help me decide on the importance of this line of research.
> Just fun or of possible practical importance?

These questions may be better posed to the dnsop at and
dns-operations at mailing lists, as you'll get more relevant
answers from people who work in the DNS industry.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list