Oct 11 – 13, 2014
Hyatt Regency Century Plaza
US/Pacific timezone

Improved NSEC3 performance in DNSSEC

Oct 12, 2014, 12:00 PM
Westside (Hyatt Regency Century Plaza)


Hyatt Regency Century Plaza

2025 Avenue of the Stars Los Angeles California 90067 USA
Public Workshop Sunday Workshop (Public)


Dr Jonathan Tuliani Tuliani (Microsoft)


A challenge in DNSSEC is that the ‘NSEC3’ records used to assert the non-existence of a given domain name can create a significant computational load on the DNS servers. This document describes an application of a cryptographic technique known as a ‘time-lock puzzle’ to the calculation of NSEC3 records. This provides a means of reducing this load whilst simultaneously increasing the security against DNS record enumeration offered by NSEC3.


This presentation shows how a 'computationally asymmetric cryptographic hash function' can be constructed from a cryptographic technique known as a time-lock puzzle (http://people.csail.mit.edu/rivest/lcs35-puzzle-description.txt)

We show how such a hash function may be useful in the context of NSEC3 records, by enabling the computational load faced by an attacker to enumerate a zone to be increased without creating a parallel increase in computational load on the DNS server to generate such records or process queries.

Primary author

Presentation materials