[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-lozano-nsec-random-00

To: Gustavo Lozano Ibarra <glozano@nic.mx>
Subject: Re: draft-lozano-nsec-random-00
From: Peter Koch <pk@TechFak.Uni-Bielefeld.DE>
Date: Fri, 17 Dec 2004 21:52:28 +0100
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Tue, 14 Dec 2004 11:12:28 CST." <6.2.0.14.2.20041214111013.0a64b7f8@mail.nic.mx>

> I wrote a draft describing the idea and I would appreciate receiving comments
> about it.
> 
> The draft : http://www.ietf.org/internet-drafts/draft-lozano-nsec-random-00.t
>xt

You're introducing competing NSEC RRs separating NXDOMAIN from NOERROR/NODATA.
The choice of the NSEC RR to be sent with the answer needs to be specified
more precisely (since the server may not be able to know which one was
randomly generated), but essentially you're giving up authenticated denial
of existence (of names): 

In your zone

   a.example (random generated) 
   b.example (original) 
   c.example (random generated) 
   e.example (original) 
   f.example (random generated) 
   h.example (original) 
   z.example (random generated) 
 
you create NSEC RRs pointing from one randomly generated name to 'the next',
but since there's no information in those randomly generated names, the
approach can be reduced to a single NSEC RR spanning the whole zone. Now,
all names within the zone (any zone) can be proven not to exist, including,
of course, those that do actually exist and own RRsets.

-Peter

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- draft-lozano-nsec-random-00
  - From: Gustavo Lozano Ibarra <glozano@nic.mx>

Prev by Date: RE: draft-lozano-nsec-random-00
Next by Date: Re: Unexpected DNS responses
Previous by thread: RE: draft-lozano-nsec-random-00
Next by thread: Unexpected DNS responses
Index(es):
- Date
- Thread