Moin!

On 10 Mar 2017, at 19:15, Shumon Huque wrote:

> I would like to see us deploy an authenticated denial of existence
> mechanism that is not eminently susceptible to offline dictionary
> attack. My experience so far is that most people in the crypto
> community do not look favorably on NSEC3. Not just Dan Bernstein,
> whose strong criticisms are well known (and correct in my opinion).
> IETF protocols should pass muster with the professional cryptographer
> community.
As others have said there is more than one way to get the zone content
without doing a dictionary attack on the authoritative server (passive
DNS, browser bars, pretty much everything that collects names). So even
if you have a technical solid solution that you can't get it from the
authoritative servers it still will be possible to do it. So you don't
solve a real world problem.

NSEC3 was done to solve two problems (easy zone enumeration, opt out)
for large providers of DNS services (ccTLDs, Verisign). All of these
providers now have DNSSEC, so what is the point on introducing
something that will cause more disruption and maybe slow down adaption
of DNSSEC further?

IMHO there are other things we should work on like getting more
people to validate and rolling to ecliptic curve algorithms.

So long
-Ralf

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to