Petr Menšík <[email protected]> wrote:
>
> I thought it is not a problem, because it contains multiple iterations.
> Yet popular TLD has iterations==0. This is about how hash of name is
> created from original Next Hashed Owner Name. No other algorithm for
> this is defined.
>
> My conclusion is owner name hash is not security sensitive. But I never
> saw that written in and RFC I read. I cannot say I read or know all
> relevant drafts. Is it obvious to everyone but me?
Maybe not obvious, but it is sort of implied by RFC 5155, because if you
are not worried about zone enumeration then there's no point in heavy
hashing. And since then there has been plenty of academic work showing
how easy it is to enumerate a zone despite NSEC3. There is a fairly
straightforward discussion of the issue in section 2.3 of this draft:
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance
--
Tony Finch <[email protected]> https://dotat.at/
Fisher: West or southwest 2 to 4, occasionally 5 later. Smooth or
slight. Mainly fair. Moderate or good, occasionally poor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
