11–13 Oct 2014
Hyatt Regency Century Plaza
US/Pacific timezone

Improved NSEC3 performance in DNSSEC

12 Oct 2014, 12:00
30m
Westside (Hyatt Regency Century Plaza)

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars Los Angeles California 90067 USA
Public Workshop Sunday Workshop (Public)

Speaker

Dr Jonathan Tuliani Tuliani (Microsoft)

Description

A challenge in DNSSEC is that the ‘NSEC3’ records used to assert the non-existence of a given domain name can create a significant computational load on the DNS servers. This document describes an application of a cryptographic technique known as a ‘time-lock puzzle’ to the calculation of NSEC3 records. This provides a means of reducing this load whilst simultaneously increasing the security against DNS record enumeration offered by NSEC3.

Summary

This presentation shows how a 'computationally asymmetric cryptographic hash function' can be constructed from a cryptographic technique known as a time-lock puzzle (http://people.csail.mit.edu/rivest/lcs35-puzzle-description.txt)

We show how such a hash function may be useful in the context of NSEC3 records, by enabling the computational load faced by an attacker to enumerate a zone to be increased without creating a parallel increase in computational load on the DNS server to generate such records or process queries.

Primary author

Presentation materials