Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

• Previous message (by thread): Question re prevention of enumeration with DNSSEC (NSEC3, etc.)
• Next message (by thread): Question re prevention of enumeration with DNSSEC (NSEC3, etc.)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/8/22 19:48, Warren Kumari wrote:
>>     If zone enumeration was not a real concern, NSEC3 would not exist.
> 
> Ackchyually, that's only partly true — a significant amount of the 
> driver (some would say hte large majority) behind NSEC3 was that it  
> supports "opt-out". This was important in very large, delegation-centric 
> zones (e.g like .com), where the vast majority of delegations were 
> initially not signed. This allows just signing the signed delegation and 
> the holes between them, and not all of the unsigned delegations.

But, with op-out, there're some security concerns around... so TL;DR 
generally you should avoid-it.

http://www.e-ontap.com/dns/entpoison.html
https://theory.stanford.edu/people/jcm/papers/dnssec_ndss10.pdf

• Previous message (by thread): Question re prevention of enumeration with DNSSEC (NSEC3, etc.)
• Next message (by thread): Question re prevention of enumeration with DNSSEC (NSEC3, etc.)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]