[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

More on NSEC2 label size and DoS

To: namedroppers@ops.ietf.org
Subject: More on NSEC2 label size and DoS
From: roy@dnss.ec
Date: Wed, 26 May 2004 10:11:11 +0200 (CEST)

Hi,

I still see a technical limit with NSEC2:

1) multiple hashed labels.

I assume that every label needs to be hashed individually (Ben ?). Due to
the SHA-1 digest size in base32, (32 characters), plus 1 byte label
length+type, and a maximum owner name length of 255 bytes, there is a
maximum of 7 hashed labels, i.e., there are issues for names like:

1.1.1.1.1.2.2.2.2.3.3.1.2.3.4.in-addr.arpa. and
5.4.1.4.1.1.0.1.6.3.1.e164.arpa.

2) DoS issue with multiple labels.

Since a hash(label) needs to be performed by the server to look up
(internally) the proper NSEC for proof, the effort for creating a response
would be higher then the effort for sending a query, compared to NSEC or
non-DNS.

Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: More on NSEC2 label size and DoS
  - From: roy@dnss.ec

Prev by Date: Re: NSEC+ and NO
Next by Date: Re: More on NSEC2 label size and DoS
Previous by thread: -proto -records ambiguity?
Next by thread: Re: More on NSEC2 label size and DoS
Index(es):
- Date
- Thread