On Tue, Apr 6, 2021 at 12:51 PM Shumon Huque <shu...@gmail.com> wrote: > > On Tue, Apr 6, 2021 at 3:03 PM Murray S. Kucherawy <superu...@gmail.com> > wrote: >> >> On Tue, Apr 6, 2021 at 11:48 AM Shumon Huque <shu...@gmail.com> wrote: >>> >>> Without DNSSEC, there is no current way to provide an indication about the >>> longest ancestor of the name that did exist. With DNSSEC, the NSEC or NSEC3 >>> records in the response can do this (as well as providing cryptographic >>> proof of this assertion with their signatures). >> >> >> Thanks, this (and the others) is helpful. >> >> Focusing on "no current way", could the process described in RFC 8020 >> theoretically be amended to do so? It's fine if the answer is "no", but I'd >> love to understand why if that's the case. > > > I suspect the most common answer to your question will be "No, just deploy > DNSSEC". I'm sure one could devise a new protocol enhancement that an > authoritative server could use to convey this information, but I'm not sure > it is worth complicating the protocol to do so. > > Also, even with 8020, there have been concerns raised that resolvers > implementing it, could be vulnerable to spoofing adversaries easily pruning > entire subtrees from their caches (rather than having to spoof many > individual names). Unbound, for example, implements 8020 only for signed > zones.
Murray, an organization we both know very well, do not implement ENT/RFC8020 for instance... In the case of DNSSEC you get proper coverage with NSEC even if at best you use White (RFC4470) and Black (https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00) lies. Manu _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
