Re: [DNSOP] Comments regarding the NSEC5

[Nicholas Weaver <nweaver@icsi.berkeley.edu>]

> On Mar 11, 2015, at 9:39 AM, Jan Včelák <jan.vcelak@nic.cz> wrote:
> 
> NSEC5 proof is the FDH of domain name.
> NSEC5 hash is SHA-256 of NSEC5 proof.
> 
> I will clarify that.

Why not just do something simpler?  The only thing NSEC5 really differs in a way that counts is not in the NSEC record but really just the DNSKEY handling, having a separate key used for signing the NSEC* records.

So why define NSEC5 at all.


Instead, just specify a separate flag for the DNSKEY record, "NSEC-only", sign the NSEC3 dynamically, bada bing, bada boom, done!


For old resolvers, they just ignore the flag and treat it like any other DNSKEY record, and since the valid names are signed with the other key, while the NSEC* are signed with this key, it works just fine.

For upgraded resolvers, they follow the convention and only will accept RRSIGs for NSEC/NSEC3 with that DNSKEY record.

And then on the authority side, you just dynamically generate and sign the NSEC3 record that says H(name)-1 to H(name)+1 has no valid record and sign that with the NSEC-only key.



This way, you gain the protection against enumeration and the limited damage on key compromise property when validated by upgraded resolvers, and you still get the protection against enumeration when the resolver isn't upgraded, and you don't need to upgrade the resolver in order for this to be deployed.

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver@icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc