Zeros Are Heroes: NSEC3 Parameter Settings in the Wild - DRAKKAR
Communication Dans Un Congrès Année : 2024

Zeros Are Heroes: NSEC3 Parameter Settings in the Wild

Résumé

Domain Name System Security Extensions (DNSSEC) enhanced the security of conventional DNS by providing data integrity and origin authentication, but enabled zone walking as a side effect. To address this issue, the Next Secure (NSEC3) resource record provides an authenticated denial of existence mechanism based on hashes of domain names. However, an improper selection of the NSEC3 parameters may significantly degrade the performance of resolvers and authoritative name servers alike. RFC 9276 (Guidance for NSEC3 Parameter Settings) imposes additional constraints on hash computation parameters, crucial in light of emerging security threats such as CPU resource exhaustion attacks. Despite this guideline, our analysis of over 302 M registered domain names reveals that 87.8 % of 15.5 M NSEC3-enabled domains fail to adhere to RFC 9276 with a dozen using 500 additional hash iterations. Furthermore, 78.3 % of 114 K open and closed validating resolvers impose the RFC's additional constraints on hash iterations with 18.4 % returning SERVFAIL, possibly rendering non-compliant domains unreachable.
Fichier principal
Vignette du fichier
IMC_2024__NSEC3_Parameter_Settings_In_The_Wild.pdf (577.2 Ko) Télécharger le fichier
Origine Fichiers produits par l'(les) auteur(s)

Dates et versions

hal-04694771 , version 1 (11-09-2024)

Identifiants

  • HAL Id : hal-04694771 , version 1

Citer

Cordian Alexander Daniluk, Yevheniya Nosyk, Andrzej Duda, Maciej Korczyński. Zeros Are Heroes: NSEC3 Parameter Settings in the Wild. Internet Measurement Conference, ACM, Nov 2024, Madrid, Spain. ⟨hal-04694771⟩
144 Consultations
77 Téléchargements

Partager

More