Hello Gaurav, You might want to have a look at our whitepaper on 'authenticated denial of existence' to gain better understanding of this somewhat complicated aspect of the DNSSEC specification:
https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf Regards, -- Marco On 02/14/2012 08:18 PM, Chris Buxton wrote: > Briefly, the answer is, the NXDOMAIN response could be replayed by a > man-in-the-middle attacker. We need to have something to sign, something > specific to that query. If we just return the zone's SOA record and its > signature, we're still subject to a replay attack. So we need to prove > the negative, and that happens by enumerating all the possible positive > answers "near" the query. > > Regards, > Chris Buxton > BlueCat Networks > > On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote: > >> Dear Team, >> >> We have a Authenticated Response in DNSSEC through trust chain. >> Now my question is why we itself need a NSEC when we get response from >> DNSSEC enabled server authentically. >> >> Means, if a Record exist in DNSSEC, then it replies the answer along >> with RRSIG of that RR. >> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our >> job will be done as we trust that nameserver through trust chain. >> So what’s the need of NSEC?????? >> >> Thanks n Regards, >> GAURAV KANSAL >> 9910118448 >> VoIP - 6259 >> Operation And Routing Unit >> NIC , NEW DELHI >> >> Please don't print this e-mail until & unless you really need, it will >> save Trees on Planet Earth. >> IPv4 is Over, >> Are your ready for new Network. >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> >> https://lists.isc.org/mailman/listinfo/bind-users > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
