Zone Dumping via DNSSEC

5 points by thricegr8 1 year ago | 3 comments

johnklos 1 year ago |

This is neat. I didn't know about that shortcoming of DNSSEC, but knowing now, I'll definitely use NSEC3.

I've also naively taken it for granted that some of my machines that're only running ssh on IPv6 wouldn't be subject to brute force attacks, but now I can see how someone might discover DNS names that aren't shared publicly. Good to know!

tptacek 1 year ago | |

NSEC3 is not much better! It's usually a simple iterated hash, of the sort Unices used in the 1990s before the invention of bcrypt, so they can cracked the same way a 1990s password file would be.

johnklos 1 year ago | | |

Yes, it's not much better, but it's better than nothing. It'll at least make people work a little.