Paper 2017/099
Making NSEC5 Practical for DNSSEC
Abstract
NSEC5 is a proposed modification to DNSSEC that guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. In this work, we redesign NSEC5 in order to make it practical and performant. Our NSEC5 redesign features a new verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into DNSSEC, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5 for both nameserver and recursive resolver, and evaluate performance under aggressive DNS query loads. We find that our redesigned NSEC5 can be viable even for high-throughput scenarios.
Note: Editorial changes, improvements to VRF proofs
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Preprint.
- Keywords
- DNSSEC verifiable random functions elliptic curve cryptography implementation
- Contact author(s)
- dipapado @ cse ust hk
- History
- 2022-08-09: last of 4 revisions
- 2017-02-13: received
- See all versions
- Short URL
- https://ia.cr/2017/099
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2017/099, author = {Dimitrios Papadopoulos and Duane Wessels and Shumon Huque and Moni Naor and Jan Včelák and Leonid Reyzin and Sharon Goldberg}, title = {Making {NSEC5} Practical for {DNSSEC}}, howpublished = {Cryptology {ePrint} Archive, Paper 2017/099}, year = {2017}, url = {https://eprint.iacr.org/2017/099} }