[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt

To: DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
From: Paul Vixie <paul@vix.com>
Date: Mon, 14 Jun 2004 20:57:56 +0000
In-reply-to: Message from Alex Bligh <alex@alex.org.uk> of "Mon, 14 Jun 2004 17:18:30 +0100." <8C8957C7854772316F2DA5FB@[192.168.0.5]>

> > if you do nothing, then paranoid clients will continue to have very
> > little confidence in spoofed data.  if you use a zone-covering NSEC
> > for all responses, then paranoid clients will have high confidence
> > in spoofed data.
> 
> Which is one reason why it would be good if there was some signaling
> that denials should not be treated as authenticated: ...

if you want non-authenticated denial, maybe you should just leave out
the NSEC altogether.  putting your signature on one that covers names
which actually exist, and then leaking that signed "lie" to the universe,
where others could replay or misinterpret it out of context, seems like
a huge mistake to me.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
  - From: Ben Laurie <ben@algroup.co.uk>
- Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
  - From: Greg Hudson <ghudson@MIT.EDU>

References:
- Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
  - From: Alex Bligh <alex@alex.org.uk>

Prev by Date: Re: DNSKEY flags field
Next by Date: Re: DNSKEY flags field
Previous by thread: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
Next by thread: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
Index(es):
- Date
- Thread