1.1.Requirements Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶

2.1.Algorithms

The algorithm field is not discussed by this document. Readers areencouraged to read[RFC8624] for guidance about DNSSEC algorithmusage.¶

2.2.Flags

The NSEC3PARAM flags field currently contains only reserved andunassigned flags. However, individual NSEC3 records contain the"Opt-Out" flag[RFC5155] that specifies whether that NSEC3 recordprovides proof of nonexistence. In general, NSEC3 with the Opt-Outflag enabled should only be used in large, highly dynamic zones with asmall percentage of signed delegations. Operationally, this allowsfor fewer signature creations when new delegations are inserted into azone. This is typically only necessary for extremely largeregistration points providing zone updates faster than real-timesigning allows or when using memory-constrained hardware. Operators considering the use of NSEC3 are advised to carefully weigh the costs and benefits of choosing NSEC3 over NSEC. Smaller zones, or large but relatively static zones, are encouraged to not use the opt-opt flag and to take advantage of DNSSEC's authenticated denial of existence.¶

2.3.Iterations

NSEC3 records are created by first hashing the input domain and thenrepeating that hashing using the same algorithm a number of times based on theiteration parameter in the NSEC3PARAM and NSEC3 records.The first hash with NSEC3 is typically sufficient to discourage zoneenumeration performed by "zone walking" an unhashed NSEC chain.¶

Note that[RFC5155] describes the Iterations field as follows¶

TheIterations field defines the number of additional times the hashfunction has been performed.¶

This means that an NSEC3 record with anIterations field of 0 actually requires one hash iteration.¶

Only determined partieswith significant resources are likely to try and uncover hashedvalues, regardless of the number of additional iterations performed.If an adversary really wants to expend significant CPU resources tomount an offline dictionary attack on a zone's NSEC3 chain, they'lllikely be able to find most of the "guessable" names despite anylevel of additional hashing iterations.¶

Most names published in the DNS are rarely secret or unpredictable.They are published to be memorable, used and consumed by humans. Theyare often recorded in many other network logs such as email logs,certificate transparency logs, web page links, intrusion-detectionsystems, malware scanners, email archives, etc. Many times a simpledictionary of commonly used domain names prefixes (www, mail,imap, login, database, etc.) can be used to quickly reveal a largenumber of labels within a zone. Because of this, there are increasingperformance costs yet diminishing returns associated with applyingadditional hash iterations beyond the first.¶

AlthoughSection 10.3 of [RFC5155] specifies the upper bounds for thenumber of hash iterations to use, there is no published guidance forzone owners about good values to select. Recent academic studieshave shown that NSEC3 hashing provides only moderateprotection[GPUNSEC3][ZONEENUM].¶

2.4.Salt

NSEC3 records provide an additional salt value, which can becombined with a Fully Qualified Domain Name (FQDN) to influence the resulting hash, but propertiesof this extra salt are complicated.¶

In cryptography, salts generally add a layer of protection againstoffline, stored dictionary attacks by combining the value to be hashedwith a unique "salt" value. This prevents adversaries from building upand remembering a single dictionary of values that can translate ahash output back to the value that it was derived from.¶

In the case of DNS, the situation is different because the hashednames placed in NSEC3 records are always implicitly "salted" byhashing the FQDN from each zone. Thus, nosingle pre-computed table works to speed up dictionary attacksagainst multiple target zones. An attacker is always required tocompute a complete dictionary per zone, which is expensive in bothstorage and CPU time.¶

To understand the role of the additional NSEC3 salt field, we have toconsider how a typical zone walking attack works. Typically, the attackhas two phases: online and offline. In the online phase, an attacker"walks the zone" by enumerating (almost) all hashes listed in NSEC3records and storing them for the offline phase. Then, in the offlinecracking phase, the attacker attempts to crack the underlying hash. Inthis phase, the additional salt value raises the cost of the attackonly if the salt value changes during the online phase of theattack. In other words, an additional, constant salt value does notchange the cost of the attack.¶

Changing a zone's salt value requires the construction of a completenew NSEC3 chain. This is true both when re-signing the entire zone atonce and when incrementally signing it in the background where the newsalt is only activated once every name in the chain has beencompleted. As a result, re-salting is a very complex operation, withsignificant CPU time, memory, and bandwidth consumption. This makesvery frequent re-salting impractical and renders the additional saltfield functionally useless.¶

3.1.Best Practice for Zone Publishers

First, if the operational or security features of NSEC3 are notneeded, then NSECSHOULD be used in preference to NSEC3. NSEC3requires greater computational power (seeAppendix B)for both authoritative servers and validating clients. Specifically,there is a nontrivial complexity in finding matching NSEC3 records torandomly generated prefixes within a DNS zone. NSEC mitigates thisconcern. If NSEC3 must be used, then an iterations count of 0MUST beused to alleviate computational burdens. Note that extra iterationcounts other than 0 increase the impact of CPU-exhausting DoS attacks,and also increase the risk of interoperability problems.¶

Note that deploying NSEC with minimally covering NSEC records[RFC4470] also incurs a cost, and zone owners should measure thecomputational difference in deploying either[RFC4470] or NSEC3.¶

In short, for all zones, the recommended NSEC3 parameters are as shownbelow:¶

; SHA-1, no extra iterations, empty salt:;bcp.example. IN NSEC3PARAM 1 0 0 -

For small zones, the use of opt-out-based NSEC3 records isNOT RECOMMENDED.¶

For very large and sparsely signed zones, where the majority of therecords are insecure delegations, opt-outMAY be used.¶

OperatorsSHOULD NOT use a salt by indicating a zero-length salt valueinstead (represented as a "-" in the presentation format).¶

If salts are used, note that since the NSEC3PARAM RR is not used byvalidating resolvers (seeSection 4 of [RFC5155]), the iterations andsalt parameters can be changed without the need to wait for RRsets toexpire from caches. A complete new NSEC3 chain needs to beconstructed and the full zone needs to be re-signed.¶

3.2.Recommendation for Validating Resolvers

Because there has been a large growth of open (public) DNSSECvalidating resolvers that are subject to compute resource constraintswhen handling requests from anonymous clients, this documentrecommends that validating resolvers reduce their iteration countlimits over time. Specifically, validatingresolver operators and validating resolver software implementers areencouraged to continue evaluating NSEC3 iteration count deploymenttrends and lower their acceptable iteration limits over time.Becausetreating a high iterations count as insecure leaves zones subject toattack, validating resolver operators and validating resolver softwareimplementers are further encouraged to lower their default limit for returning SERVFAIL when processing NSEC3 parameterscontaining large iteration count values. SeeAppendix A for measurements taken near the time ofpublication of this document and potential starting points.¶

Validating resolversMAY return an insecure response to their clientswhen processing NSEC3 records with iterations largerthan 0.Note also that a validating resolver returning an insecure responseMUST still validate the signature over the NSEC3 record to ensurethe iteration count was not altered since record publication (seeSection 10.3 of [RFC5155]).¶

Validating resolversMAY also return a SERVFAIL response whenprocessing NSEC3 records with iterations larger than 0. ValidatingresolversMAY choose to ignore authoritative server responses withiteration counts greater than 0, which will likely result inreturning a SERVFAIL to the client when no acceptable responses arereceived from authoritative servers.¶

Validating resolvers returning an insecure or SERVFAIL answer to theirclient after receiving and validating an unsupported NSEC3 parameterfrom the authoritative server(s)SHOULD return an Extended DNSError (EDE)[RFC8914] EDNS0 option of value 27.Validating resolvers that choose to ignore a response with anunsupported iteration count (and that do not validate the signature)MUST NOT return this EDE option.¶

Note that this specification updates[RFC5155] by significantlydecreasing the requirements originally specified inSection 10.3 of [RFC5155]. See the SecurityConsiderations (Section 4) for arguments on how tohandle responses with non-zero iteration count.¶

3.3.Recommendation for Primary and Secondary Relationships

Primary and secondary authoritative servers for a zone that are notbeing run by the same operational staff and/or using the same softwareand configuration must take into account the potential differences inNSEC3 iteration support.¶

Operators of secondary services should advertise the parameter limitsthat their servers support. Correspondingly, operators of primaryservers need to ensure that their secondaries support the NSEC3parameters they expect to use in their zones. To ensure reliability,after primaries change their iteration counts, they should query theirsecondaries with known nonexistent labels to verify the secondaryservers are responding as expected.¶