In your previous mail you wrote: > NSEC needs no keys, only their RRSIGs would which wouldn't exist in > unsigned zones. In this case the unsigned NSEC would also not be part of > the zone (it would have to be synthesized and maintained outside the > zone).
=> but it is created by an authoritative server, isn't it? And as it is synthesized I can't see a good reason to use NSEC3 instead. > Because an unsigned/unauthenticated NSEC/NSEC3 has the potential to nix > entire zones, when it was discussed, Mark Andrews suggested that > requiring DNS COOKIE to further reduce the chance of cache poisoning > (more than source port randomization and random message ID) could be a > reasonable idea to think about. => it adds a nonce so another (short) bunch of unpredictable bits. As NSEC is not signed it is more than vulnerable to on-the-path attacks. I am afraid it is first a massive zone destruction weapon and after perhaps an optimization... > > It seems easier to remember that DNSSEC offers proofs for denial of > > existence. => still applies... Regards francis.dup...@fdupont.fr PS: really if this is deployed I can see more "interesting" ways for misuses than real benefits. Of course it can be a mean to make zone managers to rush on DNSSEC... _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
