You are looking at a specific version 20170213:193528 of this paper. See the latest version.

Paper 2017/099

Can NSEC5 be practical for DNSSEC deployments?

Dimitrios Papadopoulos and Duane Wessels and Shumon Huque and Moni Naor and Jan Včelák and Leonid Reyzin and Sharon Goldberg

Abstract

NSEC5 is a new proposal for providing authenticated denial of existence for DNSSEC, i.e., for securely responding to DNS queries for names that do not exist in a zone. NSEC5 simultaneously guarantees two security properties: (1) privacy against zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. By contrast, today's DNSSEC protocol can guarantee one of these properties, but not both. This paper argues that NSEC5 not only improves DNS security, but is also practical and performant. To that end, we present a new version of NSEC5 that uses elliptic curve cryptography to achieve small DNSSEC responses and fast query-processing times. We also extend widely-used DNS software to present the first implementations of NSEC5 for an authoritative nameserver and a recursive resolver. We believe that our performance results indicate that NSEC5 can be a practical solution for DNSSEC deployments.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint. MINOR revision.
Keywords
Internet protocolsverifiable random functionszone enumeration
Contact author(s)
dipapado @ cse ust hk
History
2022-08-09: last of 4 revisions
2017-02-13: received
See all versions
Short URL
https://ia.cr/2017/099
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.