nanog mailing list archives
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.)
From: Daniel Suchy via NANOG <nanog () nanog org>
Date: Sun, 8 May 2022 21:28:29 +0200
On 5/8/22 19:48, Warren Kumari wrote:
If zone enumeration was not a real concern, NSEC3 would not exist.Ackchyually, that's only partly true — a significant amount of the driver (some would say hte large majority) behind NSEC3 was that it supports "opt-out". This was important in very large, delegation-centric zones (e.g like .com), where the vast majority of delegations were initially not signed. This allows just signing the signed delegation and the holes between them, and not all of the unsigned delegations.
But, with op-out, there're some security concerns around... so TL;DR generally you should avoid-it.
http://www.e-ontap.com/dns/entpoison.html https://theory.stanford.edu/people/jcm/papers/dnssec_ndss10.pdf
Current thread:
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.), (continued)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) Masataka Ohta (May 10)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) Masataka Ohta (May 11)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) John McCormac (May 11)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) Masataka Ohta (May 12)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) John McCormac (May 12)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) Max Tulyev (May 24)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) David Conrad (May 24)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) Rubens Kuhl (May 08)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) Masataka Ohta (May 09)
- Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) Daniel Suchy via NANOG (May 08)