NSEC3 - PowerPoint PPT Presentation

About This Presentation
Title:

NSEC3

Description:

( Opt-In) NSEC3 hashed labels. Labels are individually hashed. ... NSEC3 Opt-in. Original Opt-in spec technically sound. Tested, implemented, drafted. Opt-in ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 7
Provided by: royar
Learn more at: https://www.ietf.org
Category:
Tags: nsec3 | optin

less

Transcript and Presenter's Notes

Title: NSEC3


1
NSEC3
  • Increasing zone enumeration cost
  • Decreasing initial deployment cost
  • IETF-60
  • roy_at_dnss.ec

2
NSEC3 basics
  • lists the next NSEC3s canonical ordered,
    optionally hashed owner name.
  • Lists types at original owner name.
  • Owner name may be hashed (by hashing individual
    labels)
  • Delegation points to unsigned zone optionally
    excluded from the NSEC3 chain. (Opt-In)

3
NSEC3 hashed labels
  • Labels are individually hashed.
  • empty non-terminals are preserved to avoid EXIST
    or similar workarounds.
  • Labels are optionally hashed.
  • So we have bw compatibility with NSEC. Not needed
    ? Dont use it !
  • Includes salt to increase cost of dictionary
    attacks.
  • Salt is 24 bits.

4
NSEC3 hash truncation
  • Discussed in the draft, no reactions so far.
  • What is the damage when hashes are truncated to
    the smallest unique value.
  • Truncation causes higher collision probability.
  • Collision damage
  • Limited to a higher probability to spoof
    non-existent names as existent.
  • NOT POSSIBLE TO SPOOF EXISTENT NAMES AS
    NON-EXISTENT(as existent names will have a
    truncated hash associated)

5
NSEC3 Opt-in
  • Original Opt-in spec technically sound.
  • Tested, implemented, drafted.
  • Opt-in methodology orthogonal wrt hashed labels.
  • Addresses initial size increase of delegation
    centric zones.
  • It is optional.

6
Questions
  • The current draft is at
  • http//www.logmess.com/roy/
  • Will do OOB QA, come and see me afterwards.
Write a Comment
User Comments (0)
About PowerShow.com