[Dnssec-deployment] blame DNSSEC-ter, not hash algorithm weakenesses
akumria at acm.org
Mon Sep 12 07:25:25 EDT 2011
On 12 September 2011 12:08, Jim Reid <jim at rfc1035.com> wrote:
> On 12 Sep 2011, at 11:26, Ben Laurie wrote:
> What? The only name it is trivial to compute is the one that is
>> already registered.
> One of us is confused Ben.
well I definitely am!
> Suppose you register ben.tld and this gets an NSEC3 of qwertyui.tld. I make
> a lucky guess you've registered ben.tld. So I compute the hash of that and
> then go to the registry to register qwertyui.tld. [Perhaps I confirm the
> potential for mischief by checking the NSEC3 for qwertyui.tld in
I thought when a new domain was registered a new NSEC3 would be computed. So
next time you query rather than getting quertyui.tld you'd get instead
And if you went and registered that, then another one would be computed.
You could chase each of the registered domain but you'd be spending money
and making the .tld registry happy they implemented DNSSEC.
At least that was my understanding of how things worked.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dnssec-deployment