NSEC3 Project

ANNOUNCEMENT: 2nd NSEC3 Workshop

ANNOUNCEMENT: 2nd NSEC3 Workshop Report (draft)

What

NSEC3 is an addition to the DNS Security Extensions described in RFCs 4033, 4034 and 4035. It is described in http://www.nsec3.org/cgi-bin/trac.cgi/attachment/wiki/WikiStart/draft-ietf-dnsext-nsec3-13.txt?format=raw.

Why

The DNS Security Extensions included the NSEC RR to provide authenticated denial of existence. Though the NSEC RR meets the requirements for authenticated denial of existence, it introduces a side-effect in that the contents of a zone can be enumerated. This property introduces undesired policy issues.

A second problem is that the cost to cryptographically secure delegations to unsigned zones is high for large delegation-centric zones and zones where insecure delegations will be updated rapidly. For these zones, the costs of maintaining the NSEC record chain may be extremely high relative to the gain of cryptographically authenticating existence of unsecured zones.

Where

This is currently being stardardized in the IETF DNS Extensions workgroup
There is a mailing list available: http://www.nsec3.org/mailman/listinfo/nsec3-testing

Drafts

Current NSEC3 draft (31 August 2006)
Older and Related Drafts

Software

• Validating Full Resolver (java), from SVN
• Signing Tools (java). Contains a zone signer that will sign zones using NSEC3.
• Signing Tools (perl). Contains a zone signer as well.
• LDNS, contains NSEC3 by default from NLnetLabs.
• NSD with NSEC3. NLNetLabs NSD with Ben Laurie's patches.
• Old Implementations Link

Starting Points

• Testing -- NSEC3 testing resources
• Presentations? - NSEC3 presentations
• NSEC3 Workshops
• FAQ? - Frequently Asked Questions
• Issues - Current NSEC3 Issues List
• Links

For a complete list of local wiki pages, see TitleIndex.