Re: [DNSOP] How Slack didn't turn on DNSSEC

Mark Andrews <marka@isc.org> Wed, 01 December 2021 15:41 UTC

Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <840356c1-fcb5-7043-595b-0719bce8428e@nic.cz>
Date: Thu, 02 Dec 2021 02:40:56 +1100
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A5EBCA50-7A25-47A2-8A24-38AC2FA3C337@isc.org>
References: <m1msK9b-0000HrC@stereo.hq.phicoh.net> <C3D5AC3A-CA5A-4F33-8BDA-DDFADD23649C@isc.org> <5f987ab1-c28a-b169-becf-1c44bdac60f4@nic.cz> <B12FC011-582F-46BC-BDEC-23AB45D33932@isc.org> <7b446404-65ec-99b8-7485-3b4b7204ebb7@nic.cz> <A38653D4-AEF0-4381-A924-80DF9E28D9E6@isc.org> <840356c1-fcb5-7043-595b-0719bce8428e@nic.cz>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1DK4OPA6iOfUIfHMusofLQLCl84>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
Precedence: list


> On 2 Dec 2021, at 01:57, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote:
> 
> On 01/12/2021 15.49, Mark Andrews wrote:
>> Black lies is “QNAME NSEC \000.QNAME NSEC RRSIG”.  There is no churn for "black lies”.  Black lies turns NXDOMAIN into NODATA.
>> 
>> "DNS Shotgun" can produce churn of NSEC if you ask for a type that is listed as existing but it doesn’t actually exist.  The NSEC returned is still valid for DNSSEC synthesis.
> 
> Oh, I'm sorry; a terminological problem.  I used "black-lies" for the overall behavior of Cloudflare auths, as described in that blog article.  Maybe we could extend the current terminology draft :-D
> 
> (Nit: about random QTYPE attacks, I can't see a point when you leave random QNAME attacks undefended.)

Dropping them also sets a bad precedent as one then has to deal with “but foobar works with the bad type map” complaints.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

[DNSOP] How Slack didn't turn on DNSSEC John Levine
Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
Re: [DNSOP] How Slack didn't turn on DNSSEC libor.peltan
Re: [DNSOP] How Slack didn't turn on DNSSEC Tim Wicinski
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Paul Vixie
Re: [DNSOP] How Slack didn't turn on DNSSEC Andrew Sullivan
Re: [DNSOP] How Slack didn't turn on DNSSEC Jim Reid
Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
Re: [DNSOP] How Slack didn't turn on DNSSEC Paul Vixie
Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
Re: [DNSOP] How Slack didn't turn on DNSSEC John Levine
Re: [DNSOP] How Slack didn't turn on DNSSEC Petr Špaček
Re: [DNSOP] How Slack didn't turn on DNSSEC - is … Petr Špaček
Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews