Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

[Olafur Gudmundsson <ogud@ogud.com>]

At 15:54 22/01/2010, Alex Bligh wrote:


>--On 22 January 2010 15:45:54 -0500 Edward Lewis <Ed.Lewis@neustar.biz> wrote:
>
>>>contents) in example.org. So, whilst opt-out should be avoided
>>>across intervals containing secure delegations, I see no reason
>>>to avoid it across intervals that don't contain secure delegations.
>>
>>Opt-out is restricted to "intervals" that contain only unsecured
>>delegations.
>
>Doh! Yes indeed. In which case I stand by my original argument: I can't
>see how opt-out really increase spoofability. It can't affect
>a secure delegation, and the contents of an insecure delegation
>or denial thereof (if not the delegation itself) are spoofable
>with or without opt-out. Paul's example of a secure delegation
>with opt-out across it can't exist.

Lets say example is signed, bank.example is signed using NSEC3 with opt-out
in one span to hide one division.
Lets say secure.bank.example by co-incidence falls into the opt-ed-out gap.
Now a phisher can attempt to insert an insecure delegation called 
secure.bank.example
into caches and send mails telling people to visit this site to claim 
their price

Opt-out was designed for large delegation-only/mostly zones, in almost all
other cases it should not be used.

The use of NSEC vs NSEC3 in zone is a different discussion.

A zone that contains guess-able names gains almost nothing from using NSEC3.
A zone operator may still feel better using NSEC3 :-)
If you really want to hide the content of your zone only epsilon 
signing will work
RFC4470+RFC4471.

         Olafur