[dnssec-deployment] meeting summary: 23 June 2004

Doug Barton barton at icann.org
Thu Jun 24 20:31:58 EDT 2004

James M Galvin wrote:

> One relatively new data point in the discussion is the desire for
> private domains.  There are TLDs asserting that they have customers with
> domains that are private that they do not want to be public.  Private in
> this context means that if you don't know it exists then you can not
> find it.

I agree that this does not sound like a particularly useful item,
however ...

> However, technically speaking, this is nonsense.  Domains can be found
> with a dictionary attack against a name server.  [ Editor's note: I
> thought I heard someone suggest there was an 85% probability of being
> found this way but there was no reference to go with it so I just
> mention it as a footnote unless someone wants to clarify the point. ]
> More to the point, a dictionary attack against a server will use far
> more resources and be far more operationally devastating than permiting
> the NSEC enumeration.  The reality is privacy or confidentiality is
> simply not supported in this version and we need to accept that and move
> on.  We can consider adding that as a requirement in the next version,
> if there is one. 

I keep hearing this dictionary attack argument thrown around like it's a
trivial thing. In my opinion, it is not. The possible name space at one
level of the tree is 37*61 x 36*2,
or 5.928026953489591E98. That's a VERY large space to search by brute
force. Granted, you could reduce that space quite a bit by factoring out
seemingly pointless combinations, however if you take the case of the
"private" domains above, exactly the kind of pointless combination like
might be what they have in mind.

Assuming 10 searches per second (yes, I know you could theoretically do
more with a bot net, etc.) it would take
(1.8797650156930466E90) years to search the whole space by brute force.

Assuming that you only want to search labels of 20 characters or less,
that's 23122483666661158726686253786801 (2.3122483666661157E31) labels,
which could be searched in 73320914721781959432668
(7.332091472178196E22) years.

Unless my math (and http://world.std.com/~reinhold/BigNumCalc.html) are
way way off (and please correct me if they are), I'm not sure why a
dictionary attack would be mentioned in the same context as zone
traversal through NSEC. One clearly is better than the other from a
resource perspective.

> Also, those who support NSEC and who are concerned
> about its performance should just "publish" the contents of their zones.

That would be an interesting debate from a whole other perspective. :)


Doug Barton
General Manager, The Internet Assigned Numbers Authority

More information about the Dnssec-deployment mailing list