Re: [DNSOP] How Slack didn't turn on DNSSEC

Mark Andrews <marka@isc.org> Wed, 01 December 2021 14:49 UTC

Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <7b446404-65ec-99b8-7485-3b4b7204ebb7@nic.cz>
Date: Thu, 02 Dec 2021 01:49:16 +1100
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A38653D4-AEF0-4381-A924-80DF9E28D9E6@isc.org>
References: <m1msK9b-0000HrC@stereo.hq.phicoh.net> <C3D5AC3A-CA5A-4F33-8BDA-DDFADD23649C@isc.org> <5f987ab1-c28a-b169-becf-1c44bdac60f4@nic.cz> <B12FC011-582F-46BC-BDEC-23AB45D33932@isc.org> <7b446404-65ec-99b8-7485-3b4b7204ebb7@nic.cz>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wSpuMnKCJRNJt6dGIv96oIRAzjA>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
Precedence: list


> On 1 Dec 2021, at 23:57, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote:
> 
> On 01/12/2021 13.43, Mark Andrews wrote:
>> Accepting 'QNAME NSEC \000.QNAME NSEC RRSIG’ (and other type maps) protects you from random QTYPE attacks.  It also makes 'black lies' work as intended.
> 
> Black lies got bad caching if Knot Resolver accepted this aggressively.  Asking two different QTYPEs repeatedly got uncacheable, as those answers need different NSEC* record contents (for the same NSEC* owner).  Of course, with different caching design this might be different, but it just didn't seem worthwhile to me.  If someone cares for good caching, they shouldn't use minimal ranges.

Black lies is “QNAME NSEC \000.QNAME NSEC RRSIG”.  There is no churn for "black lies”.  Black lies turns NXDOMAIN into NODATA.

"DNS Shotgun" can produce churn of NSEC if you ask for a type that is listed as existing but it doesn’t actually exist.  The NSEC returned is still valid for DNSSEC synthesis.

> --Vladimir
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

[DNSOP] How Slack didn't turn on DNSSEC John Levine
Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
Re: [DNSOP] How Slack didn't turn on DNSSEC libor.peltan
Re: [DNSOP] How Slack didn't turn on DNSSEC Tim Wicinski
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
Re: [DNSOP] How Slack didn't turn on DNSSEC Paul Vixie
Re: [DNSOP] How Slack didn't turn on DNSSEC Andrew Sullivan
Re: [DNSOP] How Slack didn't turn on DNSSEC Jim Reid
Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
Re: [DNSOP] How Slack didn't turn on DNSSEC Paul Vixie
Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
Re: [DNSOP] How Slack didn't turn on DNSSEC John Levine
Re: [DNSOP] How Slack didn't turn on DNSSEC Petr Špaček
Re: [DNSOP] How Slack didn't turn on DNSSEC - is … Petr Špaček
Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews