[dns-operations] NSEC3PARAM iteration count update

Matthijs Mekking matthijs at pletterpet.nl
Mon Jan 8 06:23:37 UTC 2018

On 01/07/2018 08:56 PM, Viktor Dukhovni wrote:
>> The harm from NSEC3 iterations if mainly felt be resolvers, but it is
>> easy to generate an attack against authoritative servers that serve
>> zones with high iteration counts causing them to fall over.
> Yes, I expect the zone with an iteration count of 65535 would take
> a noticeable CPU hit at very modest query rates:
>     $ openssl speed sha1
>     ...
>     Doing sha1 for 3s on 64 size blocks: 10499108 sha1's in 3.01s
>     ...
> So, on e.g. my CPU, 65536 iterations of sha1 would take 18ms, so the
> server consumes ~1 CPU for just ~54 queries / sec!

This paper seems to be related:


Best regards,


More information about the dns-operations mailing list