Tony Finch wrote:
On Sun, 10 Aug 2008, Ben Laurie wrote:
Tony Finch wrote:
On Sun, 10 Aug 2008, Ted Lemon wrote:
Paul's comment (the first of the three articles you quoted) implies
that secure NXDOMAIN is not a feature of Ohta-san's proposal. That
seems like a bit of a problem, because fake domains are definitely a
useful phishing tool.
As far as I can tell from the draft linked below, it does support secure
NXDOMAIN and could be made to do so without allowing zone enumeration.
http://www.watersprings.org/pub/id/draft-ohta-simple-dns-02.txt
ZL is effectively NSEC, so suffers from the same problem. A ZL3 would be
required. With all its attendant problems.
The <first> and <last> domains that bracket the list don't have to exist
in the zone: you can just return an empty ZL record that brackets the
QNAME as a proof of nonexistence. However you'd have to generate and sign
the record on the fly so it's not really practical, and you're right that
something better is required.
Yeah, yeah - we went through all this with NSEC/NSEC3.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
