> On 8 Nov 2021, at 12:55 pm, A. Schulze <s...@andreasschulze.de> wrote:
>
> sorry for maybe asking an already answered question,
> but why is NSEC3 considered to have no benefit at all?
My take is that NSEC3 provides little benefit beyond the initial
(0th) iteration.
> I'm still on "NSEC allow zone-walks while NSEC3 don't"
> At least not without additional effort.
But, of course that initial iteration provides only limited protection
against zone walking, it deters *casual* attacks, by those who are not
sufficiently motivated to expend CPU on dictionary attacks (that would
likely recover a decent fraction of the names for most zones).
There are a few possible paths forward:
* Accept that sufficiently determined adversaries will mount a dictionary
attack, but there won't be many of them. Make do with NSEC3 and zero
iterations.
* Accept that your zone data is not secret, publish vanilla NSEC records
and let the zone walkers go at it. For some TLDs, spin up a public
AXFR service, or make zone data available via HTTPS, call it "Open Data".
* Use NSEC in combination with online signing (with ECDSA P256(13)), using
minimal covering NSEC RRS. These *actually* preclude offline dictionary
attacks at the cost of online signing of negative answers. If not leaking
zone data is important enough, this is the actually secure way to get there.
NSEC3 is neither fish nor fowl. Regardless of any practically realistic
iteration count, it is still vulnerable to dictionary attacks. Its main
tangible benefit (at some non-trivial security cost) is opt-out, which is
increasingly a bad idea for most zones.
Thus we find .COM and others using "NSEC3 1 1 0 -" (just opt-out). But
most zones, if they use NSEC3 at all, should have "NSEC3 1 0 0 -", or
just NSEC, possibly with minimal covering replies via online signing.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
