[dns-operations] nsec vs nsec3 use

Tony Finch dot at dotat.at
Tue Apr 13 17:02:08 UTC 2021

Grant Taylor via dns-operations <dns-operations at dns-oarc.net> wrote:
> On 4/12/21 7:51 PM, Viktor Dukhovni wrote:
> > my advice is to use NSEC unless you have an absolutely compelling
> > case to attempt to deter zone enumeration
> Would you please elaborate on why that is your opinion / advice?
> It seems contrary to the litmus test of which is more secure vs
> difficult to implement.

Well, NSEC3 is definitely complicated, difficult to understand and debug,
and it has parameters that need some expertise to configure. At least Wes
and Viktor have a draft in progress to provide advice to those who choose
NSEC3. https://tools.ietf.org/html/draft-hardaker-dnsop-nsec3-guidance

NSEC3 gives you two things that NSEC does not:

 1. opt-out, useful for zones that have a very large number of unsigned

 2. an obfuscated list of names in the zone.

Static NSEC3 can't provide any serious protection against zone
enumeration, because DNS names are friendly to people and therefore an
ideal candidate for password crackers. (If anyone populates their zones
with the output from `pwgen` I will be both very entertained and eager to
speak to their users.)

And NSEC3 can't use the kind of work-hardening that password hashes use to
protect against cracking, because high iteration counts are absolute
murder to both authoritative servers and validators. Hence Wes and
Viktor's draft recommends an iteration count of 0 (i.e. hash once).

Maybe use NSEC3 if you have a stunt DNS server like Cloudflare's that is
able to generate narrow NSEC3 denials, or if you are a large TLD without
DNSSEC incentives, but otherwise NSEC3 gives you a lot of pain for no
real benefit.

f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
North Bailey: Southwesterly 3 to 5. Moderate. Showers. Good.

More information about the dns-operations mailing list