[dns-operations] NSEC3PARAM iteration count update
Matthijs Mekking
matthijs at pletterpet.nl
Mon Jan 8 06:23:37 UTC 2018
On 01/07/2018 08:56 PM, Viktor Dukhovni wrote:
>> The harm from NSEC3 iterations if mainly felt be resolvers, but it is
>> easy to generate an attack against authoritative servers that serve
>> zones with high iteration counts causing them to fall over.
>
> Yes, I expect the zone with an iteration count of 65535 would take
> a noticeable CPU hit at very modest query rates:
>
> $ openssl speed sha1
> ...
> Doing sha1 for 3s on 64 size blocks: 10499108 sha1's in 3.01s
> ...
>
> So, on e.g. my CPU, 65536 iterations of sha1 would take 18ms, so the
> server consumes ~1 CPU for just ~54 queries / sec!
This paper seems to be related:
https://www.nlnetlabs.nl/downloads/publications/nsec3_hash_performance.pdf
Best regards,
Matthijs
More information about the dns-operations
mailing list