Any system which prevents zone enumeration requires online signing, https://www.cs.bu.edu/~goldbe/papers/nsec5faq.html
But NSEC5 is almost certainly not going to be adopted, simply because of the partial deployment problem. NSEC3 lies work today, but people worry that NSEC3 might have server compromise compromise the ZSK. So why not simply add a new DNSKEY record flag: NSEC3-only. This flag means that the key in question can only be used to sign an NSEC* record when presenting NXDOMAIN. This way, you can deploy this solution today using white lies, and as resolvers are updated, this reduces the potential negative consequence of a key compromise to “attacker can only fake an NXDOMAIN”, allowing everything else to still use offline signatures. Combine with caching of the white lies to resist DOS attacks and you have a workable solution that prevents zone enumeration that is deployable today and has improved security (key can only fake NXDOMAIN) tomorrow. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
