Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
fujiwara@jprs.co.jp Wed, 08 July 2015 09:19 UTC
Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0D311B2C4D for <dnsop@ietfa.amsl.com>; Wed, 8 Jul 2015 02:19:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.598
X-Spam-Level:
X-Spam-Status: No, score=0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id awxc40BWwSc0 for <dnsop@ietfa.amsl.com>; Wed, 8 Jul 2015 02:19:15 -0700 (PDT)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82B2C1ACE50 for <dnsop@ietf.org>; Wed, 8 Jul 2015 02:19:15 -0700 (PDT)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id t689JDAq000304; Wed, 8 Jul 2015 18:19:13 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id D7F36180083; Wed, 8 Jul 2015 18:19:12 +0900 (JST)
Received: from localhost (off-cpu04.osa.jprs.co.jp [172.23.4.14]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id C2A5D18005E; Wed, 8 Jul 2015 18:19:12 +0900 (JST)
Date: Wed, 08 Jul 2015 18:19:12 +0900
Message-Id: <20150708.181912.193717819.fujiwara@jprs.co.jp>
To: rharolde@umich.edu
From: fujiwara@jprs.co.jp
In-Reply-To: <CA+nkc8DS2bXmQct_D05kK2Mx6OAyC+zbBLb1jwXKKmjNx+X=yw@mail.gmail.com>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <20150707.182043.193693838.fujiwara@jprs.co.jp> <CA+nkc8DS2bXmQct_D05kK2Mx6OAyC+zbBLb1jwXKKmjNx+X=yw@mail.gmail.com>
X-Mailer: Mew version 6.5 on Emacs 22.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.0.0.1202-21662.006
X-TM-AS-Result: No--5.697-5.0-31-10
X-imss-scan-details: No--5.697-5.0-31-10
X-TMASE-MatchedRID: vMI3egdXDQ1CXIGdsOwlUu5i6weAmSDKYawhvkuLgj6qvcIF1TcLYOjc SqyWAorAOH7acvXDWaAdUetUKvcxGuM2fQ6STlVfLhKcTQVB5mkjo8c0NkYYIgqijJkZo/CInzq 4tiFRxs8xtymM1fHB5h8KNajvbS9Fa+OD8tzTcL+ayB7gmaTM5cobqaMDepRMnp9KgXcu34y8KL DAbAhetcb+TbMWrxk0kZOl7WKIImq0P2qkGU0Xys/8zK5WVP8LS0iSG6xyIZc+WVT1m0MMzyAHA opEd76vg02oHW+F695Q1jcL69O0cZX1G6e/9xghsObo2ERsodZABrRGx89A8A==
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/cyFCICWKZ4p--ubKdzeOrfb8-88>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 09:19:17 -0000
> From: Bob Harold <rharolde@umich.edu> > On Tue, Jul 7, 2015 at 5:20 AM, <fujiwara@jprs.co.jp> wrote: > >> Akira Kato and I submitted draft-fujiwara-dnsop-nsec-aggressiveuse-01. >> >> >> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ >> >> >> ... > >> -- >> Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp> >> >> I am concerned that the "AN" flag allows for easy zone walking, defeating > the purpose of minimal range NSEC records. So I don't think authoritative > servers would want to respect it. It's the problem. However, authoritative DNS servers can detect random subdomain attacks. They can generate NSEC resource records with wider range under random subdomain attacks. > I am also concerned that random subdomain queries will set the CD bit, if > that avoids aggressive negative caching. So I would think that the CD bit > should not be allowed to stop aggressive negative caching. Thanks. I will add. Regards, -- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>
- [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-0… fujiwara
- [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-0… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Bob Harold
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Casey Deccio
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Stephane Bortzmeyer
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… P Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Stephane Bortzmeyer
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Roy Arends
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Roy Arends
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Evan Hunt
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Tim Wicinski
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Viktor Dukhovni
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque