On 01/12/2021 15.49, Mark Andrews wrote:
Black lies is “QNAME NSEC \000.QNAME NSEC RRSIG”. There is no churn for "black
lies”. Black lies turns NXDOMAIN into NODATA.
"DNS Shotgun" can produce churn of NSEC if you ask for a type that is listed as
existing but it doesn’t actually exist. The NSEC returned is still valid for DNSSEC
synthesis.
Oh, I'm sorry; a terminological problem. I used "black-lies" for the
overall behavior of Cloudflare auths, as described in that blog
article. Maybe we could extend the current terminology draft :-D
(Nit: about random QTYPE attacks, I can't see a point when you leave
random QNAME attacks undefended.)
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
