On Tue, Apr 6, 2021 at 3:03 PM Murray S. Kucherawy <superu...@gmail.com> wrote:
> On Tue, Apr 6, 2021 at 11:48 AM Shumon Huque <shu...@gmail.com> wrote: > >> Without DNSSEC, there is no current way to provide an indication about >> the longest ancestor of the name that did exist. With DNSSEC, the NSEC or >> NSEC3 records in the response can do this (as well as providing >> cryptographic proof of this assertion with their signatures). >> > > Thanks, this (and the others) is helpful. > > Focusing on "no current way", could the process described in RFC 8020 > theoretically be amended to do so? It's fine if the answer is "no", but > I'd love to understand why if that's the case. > I suspect the most common answer to your question will be "No, just deploy DNSSEC". I'm sure one could devise a new protocol enhancement that an authoritative server could use to convey this information, but I'm not sure it is worth complicating the protocol to do so. Also, even with 8020, there have been concerns raised that resolvers implementing it, could be vulnerable to spoofing adversaries easily pruning entire subtrees from their caches (rather than having to spoof many individual names). Unbound, for example, implements 8020 only for signed zones. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
