Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Correction: you can also enumerate through NSEC3, the most common (and default) mode of deployment; NSEC3 turns enumerable zone entries into the equivalent of a password hash file, which can be cracked.

There's a hack to prevent this that seeds the zone with false entries, but it requires the server to operate as an online signer. Since this is essentially incoherent to the design of the protocol (which makes major cryptographic and usability sacrifices to enable offline signers), there's an "NSEC4" being worked on now.

DNSSEC is silly.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: