Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 479D21A1F7B for ; Tue, 19 Nov 2013 22:59:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.424 X-Spam-Level: X-Spam-Status: No, score=-2.424 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.525] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6aolX7HZjan for ; Tue, 19 Nov 2013 22:59:51 -0800 (PST) Received: from cnnic.cn (smtp.cnnic.cn [218.241.118.7]) by ietfa.amsl.com (Postfix) with SMTP id 3AC871A1F76 for ; Tue, 19 Nov 2013 22:59:50 -0800 (PST) X-EYOUMAIL-SMTPAUTH: yaojk@cnnic.cn Received: from unknown127.0.0.1 (HELO healthyao-think) (127.0.0.1) by 127.0.0.1 with SMTP; Wed, 20 Nov 2013 14:59:39 +0800 Date: Wed, 20 Nov 2013 14:59:40 +0800 From: "Jiankang Yao" To: "Ted Lemon" , "dnsext@ietf.org Group" References: X-Priority: 3 X-Has-Attach: no X-Mailer: Foxmail 7.0.1.92[cn] Mime-Version: 1.0 Message-ID: <201311201459364160303@cnnic.cn> Content-Type: multipart/alternative; boundary="----=_001_NextPart011677867318_=----" Subject: Re: [dnsext] Authenticated denial of existence... X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: yaojk List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Nov 2013 06:59:53 -0000 This is a multi-part message in MIME format. ------=_001_NextPart011677867318_=---- Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 DQpnb29kIHdyaXRpbmcgb2YgdGhpcyBkcmFmdC4NCg0KSSBhbSBpbnRlcmVzdGVkIHRoZSBmb2xs b3dpbmcgdGV4dCBpbiBzZWN0aW9uIDM6DQoiICAgMi4gIFRoZSBETlMgcGFja2V0IGhlYWRlciBp cyBub3Qgc2lnbmVkLiAgVGhpcyBtZWFucyB0aGF0IGEgInN0YXR1czoNCiAgICAgICBOWERPTUFJ TiIgY2FuIG5vdCBiZSB0cnVzdGVkLiAgSW4gZmFjdCB0aGUgZW50aXJlIGhlYWRlciBtYXkgYmUN CiAgICAgICBmb3JnZWQsIGluY2x1ZGluZyB0aGUgQUQgYml0IChBRCBzdGFuZHMgZm9yIEF1dGhl bnRpYyBEYXRhLCBzZWUNCiAgICAgICBSRkMgMzY1NSBbUkZDMzY1NV0pLCB3aGljaCBtYXkgZ2l2 ZSBzb21lIGZvb2QgZm9yIHRob3VnaHQ7DQoiDQpzbyBpZiB0aGUgcmVzb2x2ZXIgaXMgYXR0YWNr ZWQsIHN1Y2ggYXMgaGFja2luZyB0aGUgInN0YXR1cyIgZmllbGQgb3IgdGhlIHdob2xlIGhlYWRl ciwgd2hhdCB3aWxsIGhhcHBlbj8NCg0KDQoNCg0KDQpKaWFua2FuZyBZYW8NCg0KRnJvbTogVGVk IExlbW9uDQpEYXRlOiAyMDEzLTExLTIwIDExOjMwDQpUbzogR3JvdXAgDQpTdWJqZWN0OiBbZG5z ZXh0XSBBdXRoZW50aWNhdGVkIGRlbmlhbCBvZiBleGlzdGVuY2UuLi4NCklzIHRoaXMgb24gYW55 b25lJ3MgcmFkYXI/ICAgV2hhdCBhcmUgeW91ciB0aG91Z2h0cyBhYm91dCBpdD8NCg0KaHR0cHM6 Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtZ2llYmVuLWF1dGgtZGVuaWFsLW9mLWV4 aXN0ZW5jZS1kbnMvDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fDQpkbnNleHQgbWFpbGluZyBsaXN0DQpkbnNleHRAaWV0Zi5vcmcNCmh0dHBzOi8vd3d3 LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vZG5zZXh0 ------=_001_NextPart011677867318_=---- Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

good writing of this draft.

I am interested the following text in = section=20 3:

"   2. The DNS packet = header=20 is not signed. This means that a=20 "status:
       NXDOMAIN" can not be=20 trusted. In fact the entire header may=20 be
       forged, including the AD bit (A= D=20 stands for Authentic Data, see
       RFC= 3655=20 [RFC3655]), which may give some food for thought;
"

so if the resolver is attacked, such a= s=20 hacking the "status" field or the whole header, what will happen?

Jiankang Yao

From: Ted=20 Lemon

Date: 2013-11-20 11:30

To: Group=20

Subject: [dnsext] Authenticated denial of=20 existence...

Is this on anyone's radar? What&= nbsp;are your thoughts about it?

https://datatracker.ietf.org/doc/draft-gieben-auth-denial-of-existenc= e-dns/

_______________________________________________

dnsext mailing list

dnsext@ietf.org

https://www.ietf.org/mailman/listinfo/dnsext

------=_001_NextPart011677867318_=------