11-13 October 2014
Hyatt Regency Century Plaza
US/Pacific timezone

Improved NSEC3 performance in DNSSEC

12 Oct 2014, 12:00
Westside (Hyatt Regency Century Plaza)


Hyatt Regency Century Plaza

2025 Avenue of the Stars Los Angeles California 90067 USA
Public Workshop Sunday Workshop (Public)


Dr. Jonathan Tuliani Tuliani (Microsoft)


A challenge in DNSSEC is that the ‘NSEC3’ records used to assert the non-existence of a given domain name can create a significant computational load on the DNS servers. This document describes an application of a cryptographic technique known as a ‘time-lock puzzle’ to the calculation of NSEC3 records. This provides a means of reducing this load whilst simultaneously increasing the security against DNS record enumeration offered by NSEC3.


This presentation shows how a 'computationally asymmetric cryptographic hash function' can be constructed from a cryptographic technique known as a time-lock puzzle (http://people.csail.mit.edu/rivest/lcs35-puzzle-description.txt)

We show how such a hash function may be useful in the context of NSEC3 records, by enabling the computational load faced by an attacker to enumerate a zone to be increased without creating a parallel increase in computational load on the DNS server to generate such records or process queries.

Primary author

Presentation Materials

Your browser is out of date!

Update your browser to view this website correctly. Update my browser now