Re: draft-arends-dnsnr-00
"Olaf M. Kolkman" <olaf@ripe.net> Mon, 26 July 2004 07:47 UTC
From: "Olaf M. Kolkman" <olaf@ripe.net>
Subject: Re: draft-arends-dnsnr-00
Date: Mon, 26 Jul 2004 09:47:09 +0200
Organization: RIPE NCC
Lines: 35
Sender: owner-namedroppers@ops.ietf.org
References: <Pine.BSO.4.56.0407121709550.12231@trinitario.schlyter.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: namedroppers@ops.ietf.org
X-From: owner-namedroppers@ops.ietf.org Mon Jul 26 10:20:54 2004
Return-path: <owner-namedroppers@ops.ietf.org>
To: Roy Arends <roy@dnss.ec>
In-Reply-To: <Pine.BSO.4.56.0407121709550.12231@trinitario.schlyter.se>
X-Mailer: Sylpheed version 0.9.11 (GTK+ 1.2.10; i686-pc-linux-gnu)
X-RIPE-Spam-Level:
X-RIPE-Spam-Status: N 0.007151 / 0.0 / 0.0 / disabled
X-RIPE-Signature: cfc6b5d42c4eb299cf3455160cc22855
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071904.2560.32114.ARCHIVE@ietfa.amsl.com>
I would have liked to keep this genie in its bottle but it occurs that Roy's proposal is a mixture of NSEC2 and OPT-IN specs. I would say that the same security properties of OPT-IN apply to the Roy's proposal. I.e. the record provides proof that a certain part of the namescpace is insecure. In that part of the insecure namespace you can happily spoof names away or spoof a microzoft.com response. If we want to have both obscured names and "non-secured" intervals in your zone, so that during initial deployment you only have to create and sign a handful of NSEC variants than Roy's proposal is worth investigating. If you want a choice between "fully secured" zone with obfuscated NSECs and a zone with "insecure ranges" with obfuscated NSECs than NSEC2 with an "OPT-IN" type flag seems to be the way forward. --Olaf (no hats) PS. For a name: Hashed Insecure Interval: HII RR ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- comments on draft-arends-dnsnr-00 Scott Rose
- comments on draft-arends-dnsnr-00 Loomis, Rip
- Re: comments on draft-arends-dnsnr-00 Roy Arends
- Re: comments on draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Roy Badami
- Re: draft-arends-dnsnr-00 David Blacka
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Paul Vixie
- Re: draft-arends-dnsnr-00 Olaf M. Kolkman
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Samuel Weiler
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Samuel Weiler
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Edward Lewis
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Roy Arends