Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-ietf-dnsop-nsec-aggressiveuse
Roy Arends <roy@dnss.ec> Mon, 10 October 2016 21:24 UTC
Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 470C5129774 for <dnsop@ietfa.amsl.com>; Mon, 10 Oct 2016 14:24:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0UFVyzRg1p3 for <dnsop@ietfa.amsl.com>; Mon, 10 Oct 2016 14:24:45 -0700 (PDT)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F267112977D for <dnsop@ietf.org>; Mon, 10 Oct 2016 14:24:44 -0700 (PDT)
Received: by mail-lf0-x235.google.com with SMTP id b75so3182090lfg.3 for <dnsop@ietf.org>; Mon, 10 Oct 2016 14:24:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RpcDvjTQ38m5ROkGXvNtBqCE1H4gWMw+cc2jfH10jBs=; b=OrjvsyqIjLuc17yR7UIOJI/U21foYcJtOtCDi1d3PfJwARkuGew5GzobreGtl0UU/T bUNvZewptqi+gVYFLr5xfE0ukzQ77RGkaN7/ohLgIuLWjA5fH2w58MIAlKPGzivKhQvJ 7L4emJpzsCrGSu1Al1O9h5MlHy+niQcWX7h1o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RpcDvjTQ38m5ROkGXvNtBqCE1H4gWMw+cc2jfH10jBs=; b=jtsZYXh9bbmA1aBt1FqkUGidT3zy00Z9EmS08FNlCgmB8EVyoj0DuHYp5eMIAkzL7P y8raZnsG12puNw2AWVs+s/c27jZR+HPv7QECGQI2G0dtk+HrR1XmLzcv4lSO94A07rR9 gDQbe+lsyRTyVTMTX2oYqNt13D24pCy/XYxGzRz5Z8i2qgU4ZWYSPl5Rqos6ZQNEgTGI H1+vL724gLJXlOEZRr8qJm38CK+8BPFUmfIYVhgSzQtXRXJkpSDmMxhBYNx0HWCZC4w9 JG/aUksRBT2dLLdST4evounhFS9T0OSvpIEEpoQiill6LRT/SRWCxRBKL60xkXwoYDsz QCEw==
X-Gm-Message-State: AA6/9RmoVDNrfO6Yd2IZ/r+TziHIWCzAFNSOnAcWq+Gnjup12qr8ueqcVB2YpIxlyjJ0WQ==
X-Received: by 10.194.129.137 with SMTP id nw9mr292738wjb.13.1476134682559; Mon, 10 Oct 2016 14:24:42 -0700 (PDT)
Received: from [192.168.1.82] (host86-144-28-77.range86-144.btcentralplus.com. [86.144.28.77]) by smtp.gmail.com with ESMTPSA id lf9sm76722wjb.22.2016.10.10.14.24.40 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Oct 2016 14:24:41 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <20161010203908.EE0225626F0A@rock.dv.isc.org>
Date: Mon, 10 Oct 2016 22:24:40 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <0BE787CD-3877-48C0-8BF9-3E15F605D314@dnss.ec>
References: <EA312F37-2E4C-45E0-AF0A-B0A0663B73E8@dnss.ec> <20161010203908.EE0225626F0A@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/McZxdjKQv5sUJZxOQe6_IPq0kJM>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-ietf-dnsop-nsec-aggressiveuse
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 21:24:47 -0000
On 10 Oct 2016, at 21:39, Mark Andrews <marka@isc.org> wrote: > > > In message <EA312F37-2E4C-45E0-AF0A-B0A0663B73E8@dnss.ec>, Roy Arends writes: >> Having read the draft >> >> How does one distinguish a Empty Non-Terminal NODATA response from an >> NXDOMAIN response, solely by looking at the NSEC or NSEC3 records. > > NSEC: Find the NSEC record that proves that there are no records > at the given name (note all of the owner, the next domain name and > the bit map need to be examined to do this). It either the owner > name or the next domain name of that record are a subdomain of the > given name then it is a ENT otherwise it is a NXDOMAIN. Thanks Mark. There should be some guidance to this in the draft. To be complete, for NSEC3: each empty non-terminal has an NSEC3 record associated with it, so there is always a matching NSEC3 record. The issue remains with NSEC. It is possible to determine the difference. It is important to determine the difference. This method is not specified in the draft that encourages this local optimisation. Warmly Roy > >> There is an attack vector where an RCODE0 can be replaced by RCODE3 while >> keeping the rest of the response completely intact, causing an aggressive >> use enabled cache to deny existing records. >> >> These kind of subtleties arent described in the draft, as far as I can >> tell. >> >> Roy >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-i… Roy Arends
- Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in dra… Mark Andrews
- Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in dra… Roy Arends
- Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in dra… Mark Andrews
- Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in dra… Warren Kumari