Thank you Michael, Your observation is certainly true. However, I want to point out that inability to synthesize NXDOMAIN via aggressive negative caching applies to any online signing scheme that uses minimally covering NSEC, not just Compact DoE.
Your suggestion to explicitly mention the impact on mitigation of certain classes of attacks sounds reasonable to me. We'll review the proposed text in your PR. Are there good references we can cite for water torture and random subdomain attacks? Shumon On Tue, Jul 30, 2024 at 8:59 PM Michael Sinatra <mich...@brokendns.net> wrote: > I have also added a nit (as an Issue) to the github repo for this doc, > as I'd like the authors consider explicitly stating that the inability > for resolvers to synthesize NXDOMAIN responses for zones using this CDoE > mechanism can make certain DOS attacks (e.g. Water Torture) more > effective than with plain NSEC. > > https://github.com/shuque/id-dnssec-compact-lies/issues/6 > > I realize that a close read of Section 5 of the draft makes it clear > that RFC 8198 aggressive ncaching won't work, but it might be useful to > also call that out as a security consideration (i.e. the effectiveness > of Water Torture relies on the *lack* of negative caching). Happy to > discuss further if the authors desire. > > michael > >
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
