5

This answer describes how DNSSec might permit "Zone walking"... where a bad guy can extract all the DNS records from a DNSSec enabled zone. NSEC3 is an update that prevents this. (See bottom of this article)

How can I determine (externally) if a zone is using NSEC or NSEC3?

makerofthings7
  • 50,488
  • 54
  • 253
  • 542

2 Answers2

9

If you're willing to rely on an online service (and don't mind one that is pretty picky), the DNSSEC Checker will warn (among other things) about zones that don't use NSEC3.

To check by yourself, simply query a non-existent domain and look for either an NSEC or NSEC3 resource record in response. An example query would be dig +dnssec -t any xyzzy14.sdsmt.edu (for a zone using NSEC3) or the same query at xyzzy14.berkeley.edu to see NSEC records.

Also, note that NSEC3 does not fully protect DNS zones from being enumerated. Indeed no DNS server has ever been immune to that, since attackers can always do a dictionary attack by just querying for names they think might be there. Use of NSEC3 allows an attacker to speed up the dictionary attack and do it more privately offline. They retrieve all or most of the NSEC3 records by querying for non-existent domains, and thus get the hashes of all the hosts in the zone. They then do an offline brute-force attack on the hashes. Tools even exist to do that, e.g. nsec3walker. But NSEC3 is still much harder to enumerate than NSEC, and you can set the iteration count for the hash to a high value if you want to make it more expensive.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
2

Simply check if the domain has a NSEC3PARAM

dig -t NSEC3PARAM gi-electric.at

If there is no ANSWER Section, than the Zone is not using NSEC3