Talk details: Overdoing NSEC3 Hurts, Petr Špaček

Overdoing NSEC3 Hurts

This is a draft agenda: changes are still being made.

Speaker:: Petr Špaček, Internet Systems Consortium
Date:: Thursday, 21 May
Time:: 11:40 (UTC +0100)
Room:: Side Room
Session:: DNS
Duration:: 10 min
Transcript:: Not Available
Meetecho chat:: Not Available
Type:: Talk
Slides:: —

Abstract

An NSEC3 configuration with too many iterations leads to excessive work on authoritative servers and resolvers, can be used for DoS attacks, and even opens a downgrade attack path which is not well documented.

In this brief talk we want to alert operators to this danger and evangelize Best Current Practice RFC 9276 which shows how to use NSEC3 in a safe (or less harmful) way.

Recording

Video will be added soon.

Speaker

Petr Špaček

Rate this talk

Rating will open: Monday, 18 May 2026 09:00 (+0100).