IETF Logo Mail Archive

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

Francis Dupont <Francis.Dupont@fdupont.fr> Tue, 18 July 2017 11:34 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E504D131838 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 04:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLGjwKRZGeZH for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 04:34:30 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C05E131B06 for <dnsop@ietf.org>; Tue, 18 Jul 2017 04:34:30 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [IPv6:::1]) by givry.fdupont.fr (8.14.7/8.14.7) with ESMTP id v6IBHwLn047420; Tue, 18 Jul 2017 13:17:58 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201707181117.v6IBHwLn047420@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Mukund Sivaraman <muks@isc.org>
cc: dnsop@ietf.org
In-reply-to: Your message of Tue, 18 Jul 2017 15:16:54 +0530. <20170718094654.GA31988@jurassic>
Date: Tue, 18 Jul 2017 13:17:58 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xwvEfs4ItsPc2NzNS_OUDjDPZCM>
Subject: Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 11:34:32 -0000

 In your previous mail you wrote:

>  There are still many popular unsigned zones, many of which don't look
>  like they will be signed soon due to operational and other reasons.
>  
>  Will you give some thought and reply with your opinion on NSEC/NSEC3 for
>  unsigned zones requiring the DNS COOKIE option in transmission, that can
>  be used with draft-ietf-dnsop-nsec-aggressiveuse?

=> I can't parse your message:
 - unsigned zones have no zone keys
 - DNS cookie was designed to give a return routability proof for the client,
  not the server
 - there is no NSEC/NSEC3 in an unsigned zone
Perhaps you mean to return a synthesized NSEC/NSEC3 and the DNS COOKIE is
as usual required to avoid amplification DoS.
But what will be the signing key (including on the client side) and
what to put in the NSEC/NSEC3? Perhaps this applies only to authoritative
servers of the (unsigned) zone?
It seems easier to remember that DNSSEC offers proofs for denial of existence.

Regards

Francis.Dupont@fdupont.fr

v2.23.0 | Report a Bug | By Email