You are looking at a specific version 20141111:103758 of this paper. See the latest version.

Paper 2014/582

NSEC5: Provably Preventing DNSSEC Zone Enumeration

Sharon Goldberg and Moni Naor and Dimitrios Papadopoulos and Leonid Reyzin and Sachin Vasant and Asaf Ziv

Abstract

This paper uses cryptographic techniques to study the problem of zone enumeration in DNSSEC. DNSSEC is designed to prevent network attackers from tampering with domain name system (DNS) messages. The cryptographic machinery used in DNSSEC, however, also creates a new vulnerability, zone enumeration, enabling an adversary to use a small number of online DNSSEC queries combined with offline dictionary attacks to learn which domain names are present or absent in a DNS zone. We prove that the design underlying current DNSSEC standard, with NSEC and NSEC3 records, inherently suffers from zone enumeration: specifically, we show that security against network attackers and privacy against zone enumeration cannot be satisfied simultaneously unless the DNSSEC server performs online public-key cryptographic operations. We then propose NSEC5, a new cryptographic construction that solves the problem of DNSSEC zone enumeration while remaining faithful to the operational realities of DNSSEC. NSEC5 can be thought of as a variant of NSEC3 in which the unkeyed hash function is replaced with an RSA-based keyed hashing scheme.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Contact author(s)
dipapado @ bu edu
History
2014-12-06: last of 8 revisions
2014-07-30: received
See all versions
Short URL
https://ia.cr/2014/582
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.