undefined | Better HN

0 pointseqvinox2y ago0 comments

> expose your internal hostnames if you enable DNSSEC

Zone content enumeration in DNSsec was fixed by NSEC3 records (RFC5155, March 2008)

0 comments

No it wasn't! NSEC3 is crackable the same way a 1990s Unix password file is. This was such a big problem that two competing approaches were introduced to defeat it: "whitelies", which I perceive as the "best practices standard" answer, requires servers to operate as online signers (they should have been all along) so they can generate dynamic chaff records to foil enumeration, and NSEC5.

eqvinoxOP2y ago

Hmm. Interesting. I wasn't aware of that, thanks! … also, https://github.com/CyberCX-STA/NSEC-3-Walker …

j / k navigate · click thread line to collapse

0 pointseqvinox2y ago0 comments

> expose your internal hostnames if you enable DNSSEC

Zone content enumeration in DNSsec was fixed by NSEC3 records (RFC5155, March 2008)

0 comments

tptacek2y ago

eqvinoxOP2y ago

Hmm. Interesting. I wasn't aware of that, thanks! … also, https://github.com/CyberCX-STA/NSEC-3-Walker …

j / k navigate · click thread line to collapse