On Mon, 8 Nov 2021, Viktor Dukhovni wrote: These points make a good starting point for a draft recommending to not use NSEC3:
* Accept that sufficiently determined adversaries will mount a dictionary attack, but there won't be many of them. Make do with NSEC3 and zero iterations. * Accept that your zone data is not secret, publish vanilla NSEC records and let the zone walkers go at it. For some TLDs, spin up a public AXFR service, or make zone data available via HTTPS, call it "Open Data". * Use NSEC in combination with online signing (with ECDSA P256(13)), using minimal covering NSEC RRS. These *actually* preclude offline dictionary attacks at the cost of online signing of negative answers. If not leaking zone data is important enough, this is the actually secure way to get there.
It just needs a little chat about OPT-OUT as well, and that this might save memory and bandwidth, but has a security price associated with it. Paul ps. guess i should do an algo roll from nsec3 to nsec now for my own zone :) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop