Re: NSEC3 Issue 10: Potential DoS on Servers,
Ben Laurie <ben@algroup.co.uk> Wed, 21 June 2006 23:54 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FtCX8-00049F-2I for dnsext-archive@lists.ietf.org; Wed, 21 Jun 2006 19:54:54 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FtCX5-0000QO-I5 for dnsext-archive@lists.ietf.org; Wed, 21 Jun 2006 19:54:54 -0400
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1FtCV1-0004bV-7e for namedroppers-data@psg.com; Wed, 21 Jun 2006 23:52:43 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00,SPF_NEUTRAL autolearn=no version=3.1.1
Received: from [217.155.92.109] (helo=mail.links.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from <ben@algroup.co.uk>) id 1FtCUz-0004bF-V4 for namedroppers@ops.ietf.org; Wed, 21 Jun 2006 23:52:42 +0000
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id DA42333C1A; Thu, 22 Jun 2006 00:52:39 +0100 (BST)
Message-ID: <4499DBD1.3040109@algroup.co.uk>
Date: Thu, 22 Jun 2006 00:52:49 +0100
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060516 Thunderbird/1.5.0.4 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: dwheeler@dwheeler.com
CC: namedroppers@ops.ietf.org, geoff@nominet.org.uk, roy@nominet.org.uk
Subject: Re: NSEC3 Issue 10: Potential DoS on Servers,
References: <E1FtCBH-0005yj-Fm@fenris.runbox.com>
In-Reply-To: <E1FtCBH-0005yj-Fm@fenris.runbox.com>
X-Enigmail-Version: 0.93.0.0
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
David A. Wheeler wrote: > Earlier an "NSEC3 issue 10" was noted, saying: >> Significantly more work is required for a name server to >> respond to queries which require negative proofs using NSEC3 >> than is required for a client to compose and send them. > > I don't understand this as an issue, and I'm concerned that I may be > misunderstanding NSEC3. It seems to me that the whole point > of the NSEC3 design is that all the hashes and signatures can > be precomputed, offline. You don't want the signing key to BE on-line, > and you cannot assert that hash ranges don't exist until you've > computed ALL the valid hash values anyway. And the hash already includes > the salt, iterations, etc. So I'd expect the entire chain of hash > calculations and signing to be done off-line, where DoS is irrelevant. > > Thus, when a client sends a request, the server should be able to > trivially determine the non-match, find the relevant NSEC3 key > (a trivial binary search would be fine), and send the appropriate canned response. > The computation in view is very trivial; I wouldn't expect any complex computations > to be done for an NSEC3 response by a sensible name server (at run time). > > Do I misunderstand things? If so, please enlighten me! The problem is that the server has to calculate iterated hashes to find the right NSEC3 records. > > > --- David A. Wheeler > > -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: NSEC3 Issue 10: Potential DoS on Servers, Ben Laurie
- NSEC3 - proposed mods to draft David A. Wheeler
- Re: NSEC3 and the future Paul Vixie
- Re: NSEC3 - proposed mods to draft Roy Arends
- Re: NSEC3 Issue 10: Potential DoS on Servers, and… David A. Wheeler