Paul Hoffman wrote on 2017-01-05 20:44: >> A pre-computed chain does not provide the same benefit. It increases the >> enumeration cost in terms of network queries (CPU time is of less >> importance here because the collection process is network-bound except >> for the very last few NSEC3 records). Enumeration remains feasible with >> pre-computed chains unless you re-salt and re-sign the zone in an >> interval, which is shorter than the duration needed to send one query >> for each NSEC3 record in a zone. > > Doesn't that last sentence assume that the attacker has a complete > dictionary of possible values in the zone?
To collect an NSEC3 record it suffices to find a random non-existing name, whose hash value cuts the NSEC3 record. This does not require a lot of hashing attempts and a dictionary is not required. By keeping track of which NSEC3 records you have already seen, you only need to send network queries for hash ranges not yet discovered. This gives you the whole NSEC3 chain, though not the cleartext names yet. The cost for recovering cleartext names depends on the iteration count and the number of candidate names you try (i.e. size of dictionary), but not (or maybe little) on the size of the chain. Regards, Matt
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
