[dns-operations] NSEC3PARAM iteration count update

Mark Andrews marka at isc.org
Tue Jan 9 07:21:26 UTC 2018 

> On 9 Jan 2018, at 6:00 pm, Lanlan Pan <abbypan at gmail.com> wrote:
> 
> 
> 
> Viktor Dukhovni <ietf-dane at dukhovni.org>于2018年1月8日周一 下午3:20写道:
> 
> 
> > On Jan 8, 2018, at 1:05 AM, Lanlan Pan <abbypan at gmail.com> wrote:
> >
> >> The salt value and iteration counts above 0 (i.e. 1 as you note below)
> >> turned out to be largely counter-productive.  It seems that Verisign,
> >> for example, understand this quite clearly.  The ".com" zone has an
> >> empty salt, 0 iterations, but uses opt-out:
> >>
> >>    CK0POJMG874LJREF7EFN8430QVIT8BSM.com. NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
> >
> > "empty salt, 0 iteration"  will be close to NSEC , just a simple hash map.
> 
> Actually, no, because the input to the hash is the FQDN, so the same
> label hashes differently in each domain.  The salt adds little value
> unless rotated frequently, and rotation is both difficult and rare
> in practice.  See
> 
>    https://tools.ietf.org/html/rfc5155#section-5
> 
>    Then the calculated hash of an owner name is
> 
>       IH(salt, owner name, iterations),
> 
>    where the owner name is in the canonical form, defined as:
> 
>    The wire format of the owner name where:
> 
>    1.  The owner name is fully expanded (no DNS name compression) and
>        fully qualified;
> 
> With or without the salt, any rainbow tables are per-domain.  If the
> attacker skips pre-computation, and just computes fresh target-specific
> hashes from a suitable dictionary, the salt offers no protection.
> 
> The salt adds little value unless rotated frequently, and rotation is both difficult and rare in practice.  +1
> Salt is public, not secret, hence, little protection.
> 
> When we update ZSK/KSK, salt and rotation can be updated together to reshuffle the subdomain arrangement.
> One hash operation is a static subdomain arrangement.
> 
> 
> And yes, I am basically suggesting simplifying NSEC3 to "slightly obfuscated
> NSEC with opt-out" (perhaps just one hash operation).  This is sufficient to
> deter "casual" zone-walking.  A determined adversary will learn most names in
> most domains.  They'll be found in certificates, in PTR records, dictionary
> attacks, ...
> 
> Agree.
> 
> 
> --
>         Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> 
> -- 
> 致礼  Best Regards
> 
> 潘蓝兰  Pan Lanlan
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list