[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MagicType draft
At 15:41 -0500 11/17/04, Andras Salamon wrote:
Why does the online signing of wildcard records remove the need to prove
the original QNAME does not exist?
On-line signing of authenticated denials tailored to the query
removes the need to worry about wildcards. This is because the proof
can be tied to the query.
E.g.,
If you want to prove that foo.example doesn't exist, you'd need:
bar.example. NSEC example.
RRSIG NSEC
example. NSEC bar.example.
RRSIG NSEC
First shows that foo.example. isn't there, the latter that there's no
wildcard. The reason two are needed is that's how many it takes to
show that all of the places to look as specified in RFC
1034/4.3.2/step 3/part C.
If you tailor the answer, you'd only need:
fon.example. BERT fop.example.
RRSIG BERT .... by appropriate key ....
The difference is that that validator knows that the response was
generated on the fly. If there was a wildcard, that record would not
have been generated, replaced by an answer (if appropriate).
For client-server protocols to work - you have to assume the other
side is complying to the protocol. DNSSEC doesn't protect against
non-compliant implementations, it protects on modifications "in
transit." So, it's not important that the server 'prove' all its
steps as it had to with NSEC - it's only important that the answer is
signed by the holder of the secret needed. Hopefully the secret is
only available to the (authoritatively answering) server.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
I would have been at the meeting, but I was busy raking the leaves from
the (now) empty non-terminals in my yard.
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>