Confidentiality is not possible unless all the queries are encrypted. Using asymmetric cryptography for a small message is possible, but for a zone transfer it will have an effect on the DNS performance. So one needs to use symmetric approaches. (something like what was done in the paper that I sent the link to in my last message) Using one way hashing as DNSSEC does with NSEC3 does not completely provide the zone file with data confidentiality. We tested this procedure and it was possible to retrieve thousands of records within 2 hours using a standard computer. The dictionary attack and brute force attack are also possible which leads to zone walking.
Hosnieh _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
