DNSSEC NSEC3 domain hash computation algorithm

DNSSEC is a DNS extension in order to authenticate and ensure integrity of DNS responses, in order to offers protection against DNS spoofing.

DNSSEC comes with two "denial of existence" mechanism : NSEC (RFCs 4033, 4034, 4035) and NSEC3 (RFC 5155).

Now how "denial of existence" works ?

When a query is performed on a non-existing domain, a specific answer is returned to the resolution client, given the closest domains that are alphabetically before and after the queried domain. But what is very sensible in this way of proving the non-existence of a domain is that we can easily enumerate the whole zone.

That's why NSEC3 was designed to prove the non-existence of a domain, but in the same time to avoid the zone walk through.
Instead of simply returning the closest domains, it returns a hash of the domains.

How to compute NSEC3 Hash ?

I will detail a little bit how this NSESC3 hash is computed :

I you have a look at a zone, you will find additional records, like NSEC3PARAM :

example.com. NSEC3PARAM 1 0 12 aabbccdd

The format of such record is composed of :

• an algorithm field. 1 means SHA1
• a flags field
• an iterations field
• a salt, represented as a sequence of case-insensitive hexadecimal digits.

Then the hashing algorithm is given by :

 IH(salt, x, 0) = H(x || salt), and
IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0

With my example.com domain, the hash algorithm will be :

IH(fromHexStringToByte("aabbccdd"), toCanonicalWireFormat("example.com"), 12)

fromHexStringToByte is a base 16 decoder : fromHexStringToByte("aabbccdd") = [0xaa, 0xbb, 0xcc, 0xdd]. See RFC4648

toCanonicalWireFormat convert the domain in wire format using its canonical form : toCanonicalWireFormat("example.com") = [0x07, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x03, 0x63, 0x6f, 0x6d, 0x00]. See RFC4034 (canonical form), RFC3845 (wire format)

And that's it, you are now able to compute the NSEC3 hash of your favourite domain. You just need to wait for NSEC3PARAM to be published in the respective zone to got all the necessary parameters :)

Moving from ELCA to Verisign

I had a great time at ELCA Informatique SA, working for almost 3 years on Secutix, a complete ticketing system. But now it's time for me to move forward and see something else : different projects, different colleagues, different cultures, speak more English, nearer from home, and so on...

That's why I will move to Verisign, beginning the 2nd of November (the 1st is day off :)). Working on the heart of Internet (aka DNS) is some kind of child's dream which I will be able to realize ! I'm really excited to see how root name servers work, what's behind Registrars (aka registry), implementing DNSSEC or what means 1 billion transactions a day.

I really look forward to start there, and in the same time wish all the best to the Secutix team !