Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
Francis Dupont <Francis.Dupont@fdupont.fr> Tue, 18 July 2017 11:34 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E504D131838 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 04:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLGjwKRZGeZH for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 04:34:30 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C05E131B06 for <dnsop@ietf.org>; Tue, 18 Jul 2017 04:34:30 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [IPv6:::1]) by givry.fdupont.fr (8.14.7/8.14.7) with ESMTP id v6IBHwLn047420; Tue, 18 Jul 2017 13:17:58 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201707181117.v6IBHwLn047420@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Mukund Sivaraman <muks@isc.org>
cc: dnsop@ietf.org
In-reply-to: Your message of Tue, 18 Jul 2017 15:16:54 +0530. <20170718094654.GA31988@jurassic>
Date: Tue, 18 Jul 2017 13:17:58 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xwvEfs4ItsPc2NzNS_OUDjDPZCM>
Subject: Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 11:34:32 -0000
In your previous mail you wrote: > There are still many popular unsigned zones, many of which don't look > like they will be signed soon due to operational and other reasons. > > Will you give some thought and reply with your opinion on NSEC/NSEC3 for > unsigned zones requiring the DNS COOKIE option in transmission, that can > be used with draft-ietf-dnsop-nsec-aggressiveuse? => I can't parse your message: - unsigned zones have no zone keys - DNS cookie was designed to give a return routability proof for the client, not the server - there is no NSEC/NSEC3 in an unsigned zone Perhaps you mean to return a synthesized NSEC/NSEC3 and the DNS COOKIE is as usual required to avoid amplification DoS. But what will be the signing key (including on the client side) and what to put in the NSEC/NSEC3? Perhaps this applies only to authoritative servers of the (unsigned) zone? It seems easier to remember that DNSSEC offers proofs for denial of existence. Regards Francis.Dupont@fdupont.fr
- [DNSOP] NSEC/NSEC3 for unsigned zones and aggress… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Francis Dupont
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Tony Finch
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Jim Reid
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Paul Hoffman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Petr Špaček
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Francis Dupont
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… 神明達哉
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Stephane Bortzmeyer
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Petr Špaček
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Petr Špaček
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Peter van Dijk