Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt

Petr Špaček <> Fri, 26 November 2021 11:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 85AB73A0D3F for <>; Fri, 26 Nov 2021 03:32:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=WWSsZ3nB; dkim=pass (1024-bit key) header.b=fKxglRvC
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LrbcWBjI3wac for <>; Fri, 26 Nov 2021 03:32:25 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 274253A060D for <>; Fri, 26 Nov 2021 03:32:25 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPS id 344B6433F27; Fri, 26 Nov 2021 11:32:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ostpay; t=1637926343; bh=pPGkxigOwPZGkgSeXw/mSD7xCGb6hwfBxNixOPzRKhY=; h=Date:To:References:From:Subject:In-Reply-To; b=WWSsZ3nBRfVrP58Tgmat6emYRa4pxYiuI0djQcaPv19R0aqQXzF2I5BBg48cySIps INVuEW1pu2OMTyw+6prm8fKldcpNJXy957nqtlnHMPtEWy4FOmopdu6SSdKHOcee+9 F1xvPo0F1SR2el+KpGCYFgVKnCloVaX5QDOdiyy0=
Received: from (localhost.localdomain []) by (Postfix) with ESMTPS id 1CBF7F23573; Fri, 26 Nov 2021 11:32:23 +0000 (UTC)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id E12DAF23576; Fri, 26 Nov 2021 11:32:22 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 E12DAF23576
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1637926342; bh=pPGkxigOwPZGkgSeXw/mSD7xCGb6hwfBxNixOPzRKhY=; h=Message-ID:Date:MIME-Version:To:From; b=fKxglRvC9Cr+sChTTVUeQAJpFCjYbdA/4bQ/tO+zGtwEXY4U6CuDYQ6twS3N9xWH/ MD6x6CB/yAu2Q3rjtxTGu1DyYvat+SWRgwjFZuqCBV1QPTWflkzO1k++s3NnQRzUmH 4bQBBbhvXQgK/JMEBlMq0264zsgGnl6CKAgBFcUU=
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id nOqsdhGjPqrf; Fri, 26 Nov 2021 11:32:22 +0000 (UTC)
Received: from [] ( []) by (Postfix) with ESMTPSA id 43BEFF23573; Fri, 26 Nov 2021 11:32:22 +0000 (UTC)
Message-ID: <>
Date: Fri, 26 Nov 2021 12:32:19 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-US
To: Vladimír Čunát <>,
References: <> <> <> <> <>
From: Petr Špaček <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Nov 2021 11:32:30 -0000

On 26. 11. 21 11:49, Vladimír Čunát wrote:
> On 25/11/2021 13.00, Petr Špaček wrote:
>> IMHO in the context of NSEC3 the salt would make sense _only_ if it 
>> were rotated faster than attacker was able to walk the zone. Once 
>> attacker has list of hashes available for offline cracking the salt 
>> does not do anything useful anymore. 
> I disagree; you don't need to rotate so fast.  At a moment when a 
> particular salt won't be contained in future answers, there's no point 
> in creating a dictionary anymore as it's cheaper to crack the gathered 
> hashes individually.  The only value of dictionary is (possibly) 
> speeding up attacks on names that will appear in future - and the only 
> value in re-salting is in making this technique more expensive. 
> Resalting interval is the period when a particular dictionary is useful, 
> so basically by halving the interval you double the price of this.  [all 

You are right right, I did not consider "crack names which do not exist 
yet" scenario and focused only on dictionary reuse across zones.

Do you have specific proposals for draft text?

Also, when we are theorizing, we can also consider that resalting 
thwarts simple correlation: After a resalt attacker cannot tell if a set 
of names has changed or not. With a constant salt attacker can detect 
new and removed names by their hash. (I'm not sure it is useful 
information without cracking the hashes.)

Petr Špaček