[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: Re: [dns-operations] Fwd: [FD] [Tool] nsec3map v0.3 - DNSSEC Zone Enumerator
From: Daniel Stirnimann <daniel.stirnimann () switch ! ch>
Date: 2015-04-10 7:10:46
Message-ID: 55277776.3000208 () switch ! ch
[Download RAW message or body]
> Version 0.3 of nsec3map is capable of enumerating a high percentage ( >
> 99% ) of NSEC3 records even if the zone is very large (e.g. a million or
> more entries) in a matter of minutes on contemporary hardware.
> A few years ago we also demonstrated that we were able to crack 84% of a
> total of 1.31 million NSEC3 records obtained from a real TLD zone in a
> few days using common CPUs at the time.
That was .ch at the end of 2011. The authors were kind enough to ask for
permission prior to conducting their measurement and shared their
results with us.
.ch is using NSEC3 opt-out since October 2014 but not to prevent zone
walking ;-)
Daniel
--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnimann@switch.ch, http://www.switch.ch
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic