Question re prevention of enumeration with DNSSEC (NSEC3, etc.)
Daniel Suchy
danny at danysek.cz
Sun May 8 19:28:29 UTC 2022
On 5/8/22 19:48, Warren Kumari wrote:
>> If zone enumeration was not a real concern, NSEC3 would not exist.
>
> Ackchyually, that's only partly true — a significant amount of the
> driver (some would say hte large majority) behind NSEC3 was that it
> supports "opt-out". This was important in very large, delegation-centric
> zones (e.g like .com), where the vast majority of delegations were
> initially not signed. This allows just signing the signed delegation and
> the holes between them, and not all of the unsigned delegations.
But, with op-out, there're some security concerns around... so TL;DR
generally you should avoid-it.
http://www.e-ontap.com/dns/entpoison.html
https://theory.stanford.edu/people/jcm/papers/dnssec_ndss10.pdf
More information about the NANOG
mailing list