On 11.3.2015 17:30, Florian Weimer wrote: > On 03/11/2015 05:19 PM, Jan Včelák wrote: > >>> It's not clear if the security goals make sense. What do zone operators >>> gain if zone enumeration attacks are moved from offline to online, other >>> than a need to provision additional server capacity? It's not that they >>> can block resolution requests from large resolvers if a part of their >>> client population participates in aggressive enumeration. >> >> It dependes whether you see zone enumeration as a problem. > > If I really want to enumerate a zone, I will just send my dictionary as > queries, possibly through open resolvers. People are reckless like > that. At least with NSEC3, polite attackers can do some of the > processing off-line, without punishing authoritative servers or > resolvers. NSEC5 takes away that option. Do the existing enumerators > care? Who knows.
I really can't tell. I don't know. >>> Section 4 says, “NSEC5 hash is an SHA-256 hash function as specified in >>> [RFC6234].” Are you sure that's right? >> >> You mean the reference to the RFC? Yes, I think it's right. Or am I >> missing something? > > I'm guessing, but “NSEC5 hash” is probably what involves FDH. Based on > your comment,s it's clearly *not* SHA-256, contrary to what I quoted above. NSEC5 proof is the FDH of domain name. NSEC5 hash is SHA-256 of NSEC5 proof. I will clarify that. >> We deal with NSEC5 proofs and NSEC5 hashes (see the Terminology >> section). The NSEC5 proof is the FDH (can be comptuted only by the >> holder of the NSEC5 private key); the NSEC5 hash is an SHA-256 hash of >> the NSEC5 proof (everyone can compute it, if they know the NSEC5 proof). >> >> So in your notation, an NSEC5 RR owner name should be: >> Base32hex(SHA-256(FDH(Wire-Encode(owner name), privkey))) > > And the inner part (without the Base32 encoding) is the NSEC5 hash? Or > is the SHA-256 hash skipped? Yes, the SHA-256(...) is the NSEC5 hash. The input is NSEC5 proof. Jan _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
