Zone Walking (also DNSSEC Walking) is a procedure, with which aggressors marked complete contents of DNSSEC DNS zones select can. Thus confidential data know (e.g. customer master lists) and safety-relevant information (e.g. IP addresses of servers) to be abandoned.

Function mode

Leg marking a zone concatenates DNSSEC automatically by means of NANOSECOND resource record all labels circularly in alphabetical order. Example zone example.de:

    example.de. NANOSECOND name1 name1 NANOSECOND name2 name2 NANOSECOND name5 name5 NANOSECOND example.de. Left in each case the label (canonical name) stands and on the right of a reference to the lexigrafisch next label. 

Thus the nonexistence can be proven by name. For example if a Client the not-existing name name3 inquires, then the name server answers with the nanosecond entry name2 NANOSECOND name5 and indicates with the fact that between name2 and name5 no further entry is.

An aggressor makes himself this concatenation to use, by going through the chain beginning with the first name of a zone (that is always the name of the zone) by gradual inquiries. By this technical quite simple procedure he can pick all zone contents out within fewer seconds.

Defense

• It is possible to later remove some for NANOSECOND records from a marked zone. Thus the chain is interrupted, an aggressor can pick out only one subset of the information.

• In the RFC 4470 is suggested modifying the NANOSECOND type of record. Instead of referring to material existing names, Nanosecond RRs show to automatically produced, in the zone however not existing entries. This procedure is however afflicted with substantial disadvantages. So so modified nanosecond records can be generated only directly before mailing the answer. And makes necessary the constant operational readiness level of the private zone key loads the server, with which dynamically produced NANOSECOND records are signed.

• In the IETF Draft dnsext-nsec3-05 is suggested representing the names involved not in the plain language but in coded form.

Articles in category "Zone Walking"

We found here 5 articles.

Related Websites

We found here 5 related websites.

• Amazon.com: The Twilight Zone: Walking Distance/ Kick the Can ...
  The Twilight Zone: Walking Distance/ Kick the Can, Alvin Ganzer, Richard Donner, Robert Florey, William F. Claxton, Don Medford, Jus Addiss, Ron Winston, ...


• NIC-SE statement regarding NSEC zone walking
  NIC-SE will give an presentation of our current DNSSEC pilot including various aspects such as the zone walking issue at the CENTR meeting in Stockholm at ...


• Re: zone walking and random generated names
  To: Gustavo Lozano Ibarra <glozano@nic.mx>; Subject: Re: zone walking and random generated names; From: Samuel Weiler <weiler@tislabs.com>; Date: Tue, ...


• Re: zone walking and random generated names
  To: Samuel Weiler <weiler@tislabs.com>; Subject: Re: zone walking and random generated names; From: Gustavo Lozano Ibarra <glozano@nic.mx>; Date: Tue, ...


• zone walking and random generated names
  I still believe that using random generated names can solve the problem of non zone walking offline generated authenticated denial of existence. ...