On 03/12/2015 11:15 AM, Jan Včelák wrote: > On Wednesday, March 11, 2015 09:52:55 AM Nicholas Weaver wrote: >> Why not just do something simpler? The only thing NSEC5 really differs in a >> way that counts is not in the NSEC record but really just the DNSKEY >> handling, having a separate key used for signing the NSEC* records. >> >> So why define NSEC5 at all. >> >> Instead, just specify a separate flag for the DNSKEY record, "NSEC-only", >> sign the NSEC3 dynamically, bada bing, bada boom, done! > > This would not work. Anyone holding the NSEC-only private key could fake > denying answers for the zone. So if your zone is slaved by a less-trusted > party, they could still manipulate your zone. This is not possible with NSEC5.
They can still respond with SERVFAIL instead of supplying a signed answer, achieving roughly the same result. A better argument would be support for opt out, where signatures from the online key could introduce unauthorized positive answers. It's still not a very strong argument, admittedly. The DNS software itself is likely signed by a key which is kept online (more or less). Online keys are less threatening than they used to be, and we aren't even talking about long-term keys baked into software, but short/medium-term keys which are easily replaced. And does anyone actually use opt out with NSEC3? -- Florian Weimer / Red Hat Product Security _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
