[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt

To: Paul Vixie <paul@vix.com>
Subject: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
From: Greg Hudson <ghudson@MIT.EDU>
Date: Mon, 14 Jun 2004 20:37:19 -0400
Cc: DNSEXT WG <namedroppers@ops.ietf.org>
In-reply-to: <20040614205756.A802313951@sa.vix.com>
References: <20040614205756.A802313951@sa.vix.com>

On Mon, 2004-06-14 at 16:57, Paul Vixie wrote:
> if you want non-authenticated denial, maybe you should just leave out
> the NSEC altogether.

I think at that point you may as well not answer the question.  If your
zone has a key, an unsigned response looks like an attack, and should be
discarded.

I kind of like the deny-the-whole-zone NSEC response, personally.  The
denial replay attack seems like a relatively mild practical
consequence.  (Of course, I think it's much better to have real NSEC
records and a zone file available for FTP, and I think most of the
arguments against doing that are horribly off the mark, but I'm willing
to take it as axiomatic that some zones will find denying enumeration
more important than having good security against spoofing attacks.)

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
  - From: Paul Vixie <paul@vix.com>

Prev by Date: Re: zone-covering NSEC ranges -- "which is it?"
Next by Date: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
Previous by thread: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
Next by thread: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
Index(es):
- Date
- Thread