[DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04

Wed, 31 Jul 2024 08:51:49 -0700 


On 7/30/24 19:40, John Levine wrote:

It appears that Shumon Huque  <shu...@gmail.com> said:

-=-=-=-=-=-

Thank you Michael,

Your observation is certainly true. However, I want to point out that
inability to
synthesize NXDOMAIN via aggressive negative caching applies to any online
signing scheme that uses minimally covering NSEC, not just Compact DoE.


It's also what happens with no DNSSEC at all, give or take larger
responses. I think we can agree to note it but there's nothing to do
about it.


Exactly--that's all I am asking.


I have to say it's amusing that now it's a security issue *not* to
implement RFC 8198.



I'd say it's more of security trade-off becoming more apparent than a 
security issue per se.  These kinds of attacks have evolved to the point 
that they're making really "good" use of the public resolver (as well as 
private resolver) infrastructures, so aggressive ncaching can now really 
make a difference.  It's certainly not in the scope of your draft to 
explain mitigations for this particular type of attack, my only request 
is that you are clear that this solves one set of problems (reducing 
computational load for online signers while still preventing 
zone-walking), but that other considerations are *explicitly* out of scope.



My motivation is that I have seen in my industry some knee-jerk adoption 
of things like NSEC3 without a full examination of the trade-offs.  So I 
am not proposing any changes to CDoE; only that your RFC gives people 
the opportunity to make informed decisions about what to use.



When I suggested NXDOMAIN synthesis twenty years
ago as a way to speed up sparse IPv6 DNSBL queries, the dnsop crowd
firmly told me that I was an idiot even to propose it, and the only
valid approach was to get nice fresh answers from the authoritative
servers each time.



Totally agree with the sentiment.  I didn't think much about the value 
of NXDOMAIN synthesis one way or another until the last couple of years.


michael

_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org






















					Reply via email to