Abstract
An NSEC3 configuration with too many iterations leads to excessive work on authoritative servers and resolvers, can be used for DoS attacks, and even opens a downgrade attack path which is not well documented.
In this brief talk we want to alert operators to this danger and evangelize Best Current Practice RFC 9276 which shows how to use NSEC3 in a safe (or less harmful) way.
Recording
Speaker
Petr Špaček
Rate this talk
Rating is closed.