NSEC vs. NSEC3 Keys

Author: DM47
2/4/2009 12:14:50 PM

There are two accepted key types you can choose from to sign a zone using
DNSSEC. They are:

  • NSEC (less secure, allows zone enumeration)
  • NSEC3 (more secure)

    The following key algorithms SHOULD NOT be used when signing with DNSSEC
    due to the weakness of the keys:
  • RSAMD5, DH, DSA, NSEC3DSA, HMAC-MD5, and HMAC-SHA1 to HMAC-SHA512

    The gov zone is currently the only TLD signed using NSEC3RSASHA1, but .com, .net,
    and .org will someday follow suit using NSEC3 keys.

    The NSEC3RSASHA1 algorithm will be the algorithm to use for NSEC3 keys until
    the NSEC3RSASHA256 algorithm is incorporated into Bind and other dns software
    packages. NIST will then recommend all US Federal Government Agencies upgrade
    their keys to this stronger algorithm when it is available. The anticipated date is
    January 2010.

    The key type cannot be changed once a ZSK or KSK is generated. The
    dnssec-signzone command uses the key type passed to the command to
    perform either NSEC3 or NSEC zone signing.

    With NSEC signing, an invalid domain name query, for example yahoo.gov,
    would return an NXDOMAIN record and the next valid domain name in
    alphabetical order in the zone in plain text. In some zones, it is not desireable
    to 'leak' this information out to potential attackers so NSEC3 hashes the domains
    in the zone and returns a hashed value to thwart malicious attacks that may use
    this enumeration to retrieve domains from the authoritative name servers and attack
    the unsuspecting domains.

    NSEC3 was released in late 2008 and it is relatively new. However, an upgrade
    to DNSSEC should go 'all the way' and use NSEC3 to avoid 'leaking' third and fourth
    level domain names within the zone that were previously hidden. NSEC key users
    must be reminded that enumeration will be enabled when it was formerly unreachable
    prior to signing.

    To create one KSK and two ZSK 2048 bit NSEC3 keys, use the following command
    line options:


    dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE domain.net
    dnssec-keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE domain.net
    dnssec-keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE domain.net


    To create 2048 bit NSEC keys, use the following:


    dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE domain.net
    dnssec-keygen -a RSASHA1 -b 2048 -e -n ZONE domain.net
    dnssec-keygen -a RSASHA1 -b 2048 -e -n ZONE domain.net


    The ZSK keys generated are strong enough to sign the domain for 3 months.
    The KSK key generated is strong enough to act as a trust anchor for 24 months.

    • comment on this