draft-ietf-dnsop-nsec-aggressiveuse works for stopping random sub-domain attacks for signed zones.
The problem exists for unsigned zones and different approaches have been proposed: - Bloom filtering queries (e.g. https://github.com/hdais/unbound-bloomfilter) - Bloom filter bitfield in RRs (e.g. https://tools.ietf.org/html/draft-bellovin-dnsext-bloomfilt-00) What are the consequences of the authoritiative server returning synthesized unsigned NSEC3 RRs upon being signalled by the resolver using an EDNS option? This could be spoofed by a man-in-the-middle, but so can every unsigned answer. Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
