On Sun, 10 Aug 2008, Ben Laurie wrote: > Tony Finch wrote: > > On Sun, 10 Aug 2008, Ted Lemon wrote: > > > > > > Paul's comment (the first of the three articles you quoted) implies > > > that secure NXDOMAIN is not a feature of Ohta-san's proposal. That > > > seems like a bit of a problem, because fake domains are definitely a > > > useful phishing tool. > > > > As far as I can tell from the draft linked below, it does support secure > > NXDOMAIN and could be made to do so without allowing zone enumeration. > > http://www.watersprings.org/pub/id/draft-ohta-simple-dns-02.txt > > ZL is effectively NSEC, so suffers from the same problem. A ZL3 would be > required. With all its attendant problems.
The <first> and <last> domains that bracket the list don't have to exist in the zone: you can just return an empty ZL record that brackets the QNAME as a proof of nonexistence. However you'd have to generate and sign the record on the fly so it's not really practical, and you're right that something better is required. Tony. -- f.anthony.n.finch <[EMAIL PROTECTED]> http://dotat.at/ SOLE LUNDY FASTNET IRISH SEA: SOUTHWESTERLY BACKING SOUTHERLY 5 OR 6, OCCASIONALLY 7 IN FASTNET. ROUGH. RAIN OR SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
