Can NSEC5 be practical for DNSSEC deployments?

Papadopoulos, Dimitrios; Wessels, Duane; Huque, Shumon; Naor, Moni; Včelák, Jan; Reyzin, Leonid; Goldberg, Sharon

Date Issued

2017-02

Author(s)

Papadopoulos, Dimitrios

Wessels, Duane

Huque, Shumon

Naor, Moni

Včelák, Jan

Reyzin, Leonid

Goldberg, Sharon

Export Citation

Download to BibTex

Download to EndNote/RefMan (RIS)

Metadata

Show full item record

Permanent Link

https://hdl.handle.net/2144/29223

Version

First author draft

Citation (published version)

D Papadopoulos, D Wessels, S Huque, M Naor, J Včelák, L Reyzin, S Goldberg. 2017. "Can NSEC5 be practical for DNSSEC deployments?." DNS Privacy Workshop 2017

Abstract

NSEC5 is proposed modification to DNSSEC that simultaneously guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. This paper redesigns NSEC5 to make it both practical and performant. Our NSEC5 redesign features a new fast verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into the DNSSEC protocol, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5—extending widely-used DNS software to present a nameserver and recursive resolver that support NSEC5—and evaluate their performance under aggressive DNS query loads. Our performance results indicate that our redesigned NSEC5 can be viable even for high-throughput scenarios

Collections

BU Open Access Articles [3664]
CAS: Computer Science: Scholarly Papers [186]