[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-lozano-nsec-random-00
> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org
> [mailto:owner-namedroppers@ops.ietf.org]On Behalf Of David Blacka
>
> Gustavo Lozano Ibarra wrote:
> > I have been talking with some colleagues at NIC Mexico and
> others organizations about an idea to address the issue of DNS
> enumeration in the DNSSECbis protocol.
> >
> > I wrote a draft describing the idea and I would appreciate
> receiving comments about it.
> >
> > The draft :
> http://www.ietf.org/internet-drafts/draft-lozano-nsec-random-00.txt
>
> Well, for one, you would be enabling a man in the middle to provably
> deny the existence of anything in the zone, which is contrary to the
> design goals of DNSSEC.
>
Also, one of the early design principles was that DNSSEC would not add names
to the zone. That is, the same canonical order of names must exist in both
the signed and unsigned zones. Personally, I don't know how important this
is, but I feel uneasy with schemes that add names to the zone when they
become signed.
Scott
> --
> David Blacka <davidb@verisignlabs.com>
> Sr. Engineer VeriSign Applied Research
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
>
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>