Zone Dumping via DNSSEC(harrisonm.com)
harrisonm.com
Zone Dumping via DNSSEC
https://harrisonm.com/blog/nsec-walking
3 comments
NSEC3 is not much better! It's usually a simple iterated hash, of the sort Unices used in the 1990s before the invention of bcrypt, so they can cracked the same way a 1990s password file would be.
Yes, it's not much better, but it's better than nothing. It'll at least make people work a little.
I've also naively taken it for granted that some of my machines that're only running ssh on IPv6 wouldn't be subject to brute force attacks, but now I can see how someone might discover DNS names that aren't shared publicly. Good to know!