On 7/30/24 19:22, Shumon Huque wrote:
Thank you Michael,
Your observation is certainly true. However, I want to point out that
inability to
synthesize NXDOMAIN via aggressive negative caching applies to any online
signing scheme that uses minimally covering NSEC, not just Compact DoE.
Yes, and you may want to add that to the text. From an operator's
perspective, this solves one set of security considerations, but they
should be aware of the trade-offs when choosing a denial-of-existence
mechanism.
Your suggestion to explicitly mention the impact on mitigation of
certain classes
of attacks sounds reasonable to me. We'll review the proposed text in
your PR.
Thanks.
Are there good references we can cite for water torture and random subdomain
attacks?
That's a tough one. I'll review the lit again, but most of the
references I have found online describe the circa-2014-style of attacks,
but things have evolved (e.g. the names queried have evolved to not
"look" random; there is much more effective leverage being applied by
using both direct queries from botnets *and* indirect usage of public
resolver services, etc.). Someone posted some updated stuff to
dns-operations@ about a year ago; I'll see what I can dig up and add it
to the comments.
michael
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
