Issue:

Significantly more work is required for a name server to respond to
queries which require negative proofs using NSEC3 than is required for
a client to compose and send them. For each such query, the name
server must repeat the hash function for the number of iterations
specified in the NSEC3 RRs. Consequently, name servers with NSEC3
zones are susceptible to asymmetric DoS attacks.


Resolution:

None at present.

If name servers serving NSEC3 zones were to have suitable hardware
acceleration for SHA-1, it's possible that the rate of queries required
to degrade server function could be made to be higher than that
required to saturate the server's network connection(s).

Also, while not optimal, implementations could provide a reduced
quality of service for queries which require negative proofs, so that
resolution and validation of existing names will not be compromised.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: