At Sun, 1 May 2016 19:20:33 +0200, Matthijs Mekking <matth...@pletterpet.nl> wrote:
> >>>> - I don't see why setting the CD bit is an indication that NSEC(3) > >>>> aggressive usage should not be used. Could you elaborate on that? > >> > >> I am still hoping that someone could response to this :) > > > > Specifically where in draft-fujiwara-dnsop-nsec-aggressiveuse-03 are > > you referring to? > > Section 5.1. Specifically I think that the CD bit signals to disable > signature validation in a security-aware name server (but does not > prevent it from happening anyways), but that does not disable answering > already validated data from its cache. I didn't (and still don't) interpret that section as a query with the CD bit shouldn't be answered with a cached NSEC applying nsec-aggressiveuse. To me it seems to be just silent about that point. I guess it simply assumes a particular validator behavior that skips DNSSEC validation on queries with the CD bit (and the resulting NSEC can't be used for subsequent nsec-aggressiveuse as it's not validated) and considers that can be exploited by an attacker. But your actual point is probably: if the validating recursive server performs DNSSEC validation for an answer triggered by a query with the CD bit (but returns the answer whether or not it validates; that's the real normative part of the protocol with a SHOULD), and if the validating recursive server uses the validated (and cached) NSEC for subsequent nsec-aggressiveuse, sending queries with the CD bit wouldn't be an effective attack vector as the section suggests. In that sense, I agree with you and I also think what's (seemingly) stated in this section does not make much sense. Personally, though, I have an even more fundamental question on this section: to me, the claimed benefit of this approach as a defence against "random subdomain attacks" is very weak, and all related discussions in that context just makes the document unnecessarily complicated. If we simply consider this technique as a possibly-nice-to-have optimization, the CD bit discussion will become simply unnecessary. So I'd suggest re-purposing the draft and just remove this section (or just mentions the validator should perform DNSSEC validation even if it's triggered by a query with the CD bit to make this technique more effective). -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
