[dns-operations] [Ext] Signing on the fly and UltraDNS

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jan 5 16:15:24 UTC 2021

On Tue, Jan 05, 2021 at 10:58:19AM -0500, John Levine wrote:

> It is not clear to me that this stuff is there to prevent enumeration.
> The funky names allow zone updates without having to keep the zone in
> canonical order to regenerate the NSEC chain.

With NSEC3 it is easy to perturb the SHA1 hashes by (+/-)1, do get fake
neighbours with negligible probability of collision with a real neight.
With NSEC3, one has to actually check that the "epsilon" functions don't
yield ranges overlapping live data, so one still implicitly needs an
ordering of the zone, it just does not have to be pre-signed.

Now in fact, in the implementation in question, they have the real NSEC
chain in place, and I just walk it with sufficiently exotic queries.  So
one can only conclude that indeed this is an ineffective zone-walking
defence, for otherwise why bother?  But there could perhaps be a bit more
to this that's not entirely obvious.


More information about the dns-operations mailing list