[dns-operations] Fwd: [FD] [Tool] nsec3map v0.3 - DNSSEC Zone Enumerator

Daniel Stirnimann daniel.stirnimann at switch.ch
Fri Apr 10 07:10:46 UTC 2015

> Version 0.3 of nsec3map is capable of enumerating a high percentage ( >
> 99% ) of NSEC3 records even if the zone is very large (e.g. a million or
> more entries) in a matter of minutes on contemporary hardware.
> A few years ago we also demonstrated that we were able to crack 84% of a
> total of 1.31 million NSEC3 records obtained from a real TLD zone in a
> few days using common CPUs at the time.

That was .ch at the end of 2011. The authors were kind enough to ask for
permission prior to conducting their measurement and shared their
results with us.

.ch is using NSEC3 opt-out since October 2014 but not to prevent zone
walking ;-)


Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnimann at switch.ch, http://www.switch.ch

More information about the dns-operations mailing list