11-13 October 2014
Hyatt Regency Century Plaza
US/Pacific timezone
Home > Timetable > Session details > Contribution details


Hyatt Regency Century Plaza - Westside

Improved NSEC3 performance in DNSSEC


  • Dr. Jonathan Tuliani TULIANI

Primary authors

Abstract content

A challenge in DNSSEC is that the ‘NSEC3’ records used to assert the non-existence of a given domain name can create a significant computational load on the DNS servers. This document describes an application of a cryptographic technique known as a ‘time-lock puzzle’ to the calculation of NSEC3 records. This provides a means of reducing this load whilst simultaneously increasing the security against DNS record enumeration offered by NSEC3.


This presentation shows how a 'computationally asymmetric cryptographic hash function' can be constructed from a cryptographic technique known as a time-lock puzzle (http://people.csail.mit.edu/rivest/lcs35-puzzle-description.txt)

We show how such a hash function may be useful in the context of NSEC3 records, by enabling the computational load faced by an attacker to enumerate a zone to be increased without creating a parallel increase in computational load on the DNS server to generate such records or process queries.