IETF Logo Mail Archive

Re: [DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...

Matthäus Wander <matthaeus.wander@uni-due.de> Thu, 05 January 2017 20:41 UTC

Return-Path: <matthaeus.wander@uni-due.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A6131200A0 for <dnsop@ietfa.amsl.com>; Thu, 5 Jan 2017 12:41:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.3
X-Spam-Level:
X-Spam-Status: No, score=-7.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9tp-qm4ZdKBi for <dnsop@ietfa.amsl.com>; Thu, 5 Jan 2017 12:41:11 -0800 (PST)
Received: from mailout.uni-due.de (mailout.uni-due.de [132.252.185.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C877B1293F9 for <dnsop@ietf.org>; Thu, 5 Jan 2017 12:41:10 -0800 (PST)
Received: from [192.168.178.22] (x4e304a67.dyn.telefonica.de [78.48.74.103]) (authenticated bits=0) by mailout.uni-due.de (8.13.1/8.13.1) with ESMTP id v05Kf8uH016774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 5 Jan 2017 21:41:08 +0100
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <FEDF56ED-D27D-44A7-8989-C8920BC6C1CE@icsi.berkeley.edu> <98A24DD4-91B6-4FFC-8A6F-C26D75175B85@vpnc.org> <f6125e52-e8a7-a872-7a6e-b2873e1ad1a2@uni-due.de> <E2DFFE81-90BE-4699-BB2F-713D699ADC6C@vpnc.org>
From: Matthäus Wander <matthaeus.wander@uni-due.de>
Message-ID: <89926cbc-1eba-1592-4fea-584382807a45@uni-due.de>
Date: Thu, 05 Jan 2017 21:41:06 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <E2DFFE81-90BE-4699-BB2F-713D699ADC6C@vpnc.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms050301010508020108080208"
X-Virus-Scanned: Clam Anti Virus - http://www.clamav.net
X-Spam-Scanned: SpamAssassin: 3.002004 - http://www.spamassassin.org
X-Scanned-By: MIMEDefang 2.57 on 132.252.185.19
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5QHRZSKjSgWyju9TbeihLRAscH8>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 20:41:12 -0000

Paul Hoffman wrote on 2017-01-05 20:44:

>> A pre-computed chain does not provide the same benefit. It increases the
>> enumeration cost in terms of network queries (CPU time is of less
>> importance here because the collection process is network-bound except
>> for the very last few NSEC3 records). Enumeration remains feasible with
>> pre-computed chains unless you re-salt and re-sign the zone in an
>> interval, which is shorter than the duration needed to send one query
>> for each NSEC3 record in a zone.
> 
> Doesn't that last sentence assume that the attacker has a complete
> dictionary of possible values in the zone?

To collect an NSEC3 record it suffices to find a random non-existing
name, whose hash value cuts the NSEC3 record. This does not require a
lot of hashing attempts and a dictionary is not required. By keeping
track of which NSEC3 records you have already seen, you only need to
send network queries for hash ranges not yet discovered.

This gives you the whole NSEC3 chain, though not the cleartext names
yet. The cost for recovering cleartext names depends on the iteration
count and the number of candidate names you try (i.e. size of
dictionary), but not (or maybe little) on the size of the chain.

Regards,
Matt

v2.23.0 | Report a Bug | By Email