Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-13 Thread Casey Deccio
On Mon, Feb 13, 2012 at 2:31 PM, Tony Finch wrote: > Florian Weimer wrote: > > > > Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does > > not extend too far into the future? > > It depends on the TTL of the DS record or its proof of nonexistence. > > Of course, the TTL is als

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-13 Thread Tony Finch
Florian Weimer wrote: > > Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does > not extend too far into the future? It depends on the TTL of the DS record or its proof of nonexistence. Tony. -- f.anthony.n.finchhttp://dotat.at/ North FitzRoy, Sole: Northerly or northweste

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-13 Thread Florian Weimer
* Stephane Bortzmeyer: > OK, so there is nothing that can be done at the registry level. Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does not extend too far into the future? ___ Please visit https://lists.isc.org/mailman/listinfo/b

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-10 Thread Casey Deccio
On Fri, Feb 10, 2012 at 2:27 PM, Casey Deccio wrote: > Unless future specification or implementation designated that delegation > follow the same model as trust--that is, that a delegation only last as > long as the parent said it did. I hadn't previously read Paul's resimprove draft on this to

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-10 Thread Casey Deccio
On Fri, Feb 10, 2012 at 7:37 AM, Stephane Bortzmeyer wrote: > On Thu, Feb 09, 2012 at 12:38:42PM -0800, > Casey Deccio wrote > a message of 67 lines which said: > > > Actually, it should, in the spirit of DNSSEC. > > OK, so there is nothing that can be done at the registry level. No. > Only

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-10 Thread Stephane Bortzmeyer
On Thu, Feb 09, 2012 at 12:38:42PM -0800, Casey Deccio wrote a message of 67 lines which said: > Actually, it should, in the spirit of DNSSEC. OK, so there is nothing that can be done at the registry level. Only the resolver admin can use DNSSEC to solve the ghost domain problem, by enabling

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-09 Thread Gilles Massen
On 9/2/12 21:38 , Casey Deccio wrote: > > Is it because the resolver, even if sticky, re-queries the parent when > the negative TTL of the (missing) DS records ends? And chokes when it > receives back a NXDOMAIN? > > > Actually, what I have observed in my limited testing is that the

Re: DNSSEC and CVE-2012-1033 (Ghost domain names)

2012-02-09 Thread Casey Deccio
On Thu, Feb 9, 2012 at 1:26 AM, Stephane Bortzmeyer wrote: > Unless you make DNSSEC mandatory, how will > you solve the ghost domain problem with DNSSEC? If the resolver is > sticky (will not go to the parent to ask the NS RRset), it won't check > the NSEC at the parent either... > > Actually, it