NSEC3 pretty much solves this issue. | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		RegnisGnaw on Feb 14, 2024 \| parent \| context \| favorite \| on: Just one bad packet can bring down a vulnerable DN... NSEC3 pretty much solves this issue.

tptacek on Feb 14, 2024 [–]

It doesn't, at all. NSEC3 is crackable like a 1990s password file, and several tools exist to do it. The "standard" solution to this is "whitelies" (RFC4470), which requires your DNSSEC server to be an online signer so it can generate chaff records; the supposedly upcoming solution is NSEC5, which fixes the broken cryptography in NSEC3.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact