Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

神明達哉 <> Wed, 19 July 2017 23:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 37C09131B05 for <>; Wed, 19 Jul 2017 16:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PwKAkG45veKr for <>; Wed, 19 Jul 2017 16:14:13 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 098641317A4 for <>; Wed, 19 Jul 2017 16:14:13 -0700 (PDT)
Received: by with SMTP id m7so11650987qtm.4 for <>; Wed, 19 Jul 2017 16:14:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=x3tk8UfpyC2SymGpYdGuhwtw28MFuiMsRBC4hrX3ecc=; b=QVjIAp6dF1Ro9NvJawfidra8dx8gD4DnARICkkeeP0u+H1+WZSlyNtRUBPDxR6XTq+ 77OYeROUJRkt7jcjpNClmCmn8EwIeV/xSOUOq/YbmxtF151oaAG/3spWDUS5g3kxovEn 0/sBo/flP1wsWDPcAIMya1OtQpxsNLGq+V5BrOZ1Nvxt8AV8EXLwxhXEdhOOQGl0gXxO zHpBTlh9MC3ZLaOk7ysB5rC8IImU1sX3UAp9oknZgVelKPGJezQigV/zLH1vZ1xC/SLk rh+ou32AwedhkGUu9LdRaTCudpb2Y2Oz02r9hqudx52b0KwEzhhe8wYBS32rtbsKG47R JeAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=x3tk8UfpyC2SymGpYdGuhwtw28MFuiMsRBC4hrX3ecc=; b=IeCt9GFbF8oHVAz0HZpK7qJ4bUB39oTmdQVpP1XjErw5LmqylMq1GTRYD2sB5M2tgh zsETCQpBvZarWyHFSZbmhhTHl9Yx/aCO7R4uMc3Rues9a8Y0zJ3vPlSGxQXE6HkObOtH vb5ZDsCwVbIJfsto/zosCNoGp98T2juoFBbQibdSF4LjjiszwEFfco05rLpYC83vwJhi kPSuATcaOk3cxW4loh2eKoUwkL/WnZmp5HUJRtzNR2qxFk2ysT/P/F5ywtR2L8jEfDx2 EgRXQb5jVabZTuh9KvDoCVw3p58O20e47X5NWOve2CsMq/3UPo3J8UwKmOhFQ8Zm/1YH WHMA==
X-Gm-Message-State: AIVw110AXDBIrmTkQEnBoAPXjLs4L8qAtRWx3uWDdg4ximWbIGucvZjc x+NmyOFt0SSRBXY1ciXJI3fxwLkqrw==
X-Received: by with SMTP id c22mr2263184qtb.339.1500506052096; Wed, 19 Jul 2017 16:14:12 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 19 Jul 2017 16:14:11 -0700 (PDT)
In-Reply-To: <20170718094654.GA31988@jurassic>
References: <20170718094654.GA31988@jurassic>
From: =?UTF-8?B?56We5piO6YGU5ZOJ?= <>
Date: Wed, 19 Jul 2017 16:14:11 -0700
X-Google-Sender-Auth: cRtP7g693UdBSK9JNcGrlYuwVSQ
Message-ID: <>
To: Mukund Sivaraman <>
Cc: dnsop <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Jul 2017 23:14:14 -0000

At Tue, 18 Jul 2017 18:20:56 +0530,
Mukund Sivaraman <> wrote:

> Dealing with water torture and some other attacks have had several
> band-aid approaches that don't always work well in practice. The most
> promising (and what feels correct) is
> draft-ietf-dnsop-nsec-aggressiveuse, but it doesn't work for unsigned
> zones.

Do you mean it's the most promising measure for authoritative servers?
If so, and if nsec-aggressiveuse is more widely deployed in resolvers,
and if the authoritative operators feel the pain so keenly, I'd rather
imagine they are willing to pay the cost of deploying DNSSEC.

If you mean it's the most promising measure for recursive servers, I
simply don't buy the argument.  (I made that comment while the wg
discussed nsec-aggressiveuse and it toned down quite a lot in that
sense as a result of it, so I believe it's based on a wg rough

So, either way, I don't see a strong case for the trick of using
nsec-aggressiveuse on an unsigned zone with DNS cookies.

JINMEI, Tatuya