Paper 2017/099

Making NSEC5 Practical for DNSSEC

Dimitrios Papadopoulos, Hong Kong University of Science and Technology
Duane Wessels
Shumon Huque
Moni Naor
Jan Včelák
Leonid Reyzin
Sharon Goldberg

NSEC5 is a proposed modification to DNSSEC that guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. In this work, we redesign NSEC5 in order to make it practical and performant. Our NSEC5 redesign features a new verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into DNSSEC, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5 for both nameserver and recursive resolver, and evaluate performance under aggressive DNS query loads. We find that our redesigned NSEC5 can be viable even for high-throughput scenarios.

Note: Editorial changes, improvements to VRF proofs

Available format(s)
Cryptographic protocols
Publication info
DNSSEC verifiable random functions elliptic curve cryptography implementation
Contact author(s)
dipapado @ cse ust hk
2022-08-09: last of 4 revisions
2017-02-13: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dimitrios Papadopoulos and Duane Wessels and Shumon Huque and Moni Naor and Jan Včelák and Leonid Reyzin and Sharon Goldberg},
      title = {Making NSEC5 Practical for DNSSEC},
      howpublished = {Cryptology ePrint Archive, Paper 2017/099},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.