Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

Francis Dupont <> Tue, 18 July 2017 11:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E504D131838 for <>; Tue, 18 Jul 2017 04:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vLGjwKRZGeZH for <>; Tue, 18 Jul 2017 04:34:30 -0700 (PDT)
Received: from ( [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8C05E131B06 for <>; Tue, 18 Jul 2017 04:34:30 -0700 (PDT)
Received: from (localhost [IPv6:::1]) by (8.14.7/8.14.7) with ESMTP id v6IBHwLn047420; Tue, 18 Jul 2017 13:17:58 +0200 (CEST) (envelope-from
Message-Id: <>
From: Francis Dupont <>
To: Mukund Sivaraman <>
In-reply-to: Your message of Tue, 18 Jul 2017 15:16:54 +0530. <20170718094654.GA31988@jurassic>
Date: Tue, 18 Jul 2017 13:17:58 +0200
Archived-At: <>
Subject: Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Jul 2017 11:34:32 -0000

 In your previous mail you wrote:

>  There are still many popular unsigned zones, many of which don't look
>  like they will be signed soon due to operational and other reasons.
>  Will you give some thought and reply with your opinion on NSEC/NSEC3 for
>  unsigned zones requiring the DNS COOKIE option in transmission, that can
>  be used with draft-ietf-dnsop-nsec-aggressiveuse?

=> I can't parse your message:
 - unsigned zones have no zone keys
 - DNS cookie was designed to give a return routability proof for the client,
  not the server
 - there is no NSEC/NSEC3 in an unsigned zone
Perhaps you mean to return a synthesized NSEC/NSEC3 and the DNS COOKIE is
as usual required to avoid amplification DoS.
But what will be the signing key (including on the client side) and
what to put in the NSEC/NSEC3? Perhaps this applies only to authoritative
servers of the (unsigned) zone?
It seems easier to remember that DNSSEC offers proofs for denial of existence.