Alex Bligh wrote:
>> If NSEC2 or something a lot like it is deployed, I don't think this will
>> get rid of spammers/scammers/script kiddies doing NSEC2 walks.

>
>I may have missed it, but how do you get from the chain of hashed values
>(which you can download, but are uninteresting and ephemeral) to a
>list of domain names (assuming SHA-1 is one-way).


By dictionary attack. I'm not saying they get the full, complete zone.
NSEC2 is proof against that.

What I am saying is that walking an NSEC2 chain is still useful to the
sorts of people we've been denying AXFRs to. The most obvious, but not
the only, use for the chain is a dictionary attack -- you can easily
get 50-80% of names in a typical TLD zone via a straight dictionary
attack, given a local copy of the complete NSEC2 chain and surprisingly
little money's worth of compute power.

roy@dnss.ec wrote:
>PS. That's why Ben added an iterations field to NSECINFO to up the cost.


Unfortunately, it ups the cost to everyone else, too.

-- don

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: