Hi Shane
On Mon, Nov 28, 2016 at 02:53:49PM +0100, Shane Kerr wrote:
> John,
>
> At 2016-11-27 15:18:18 -
> "John Levine" wrote:
>
> > >What are the consequences of the authoritiative server returning
> > >synthesized unsigned NSEC3 RRs upon being signalled by the resolver
> > >using an EDN
Perhaps the bloom-filter idea is something that should be explored
after all (although I admit I don't see the relation to the unsigned
NSEC3 approach)?
I agree they might be interesting, but I'd like to keep them far away from
pseudo-DNSSEC.
Regards,
John Levine, jo...@taugh.com, Taughannock
John,
At 2016-11-27 15:18:18 -
"John Levine" wrote:
> >What are the consequences of the authoritiative server returning
> >synthesized unsigned NSEC3 RRs upon being signalled by the resolver
> >using an EDNS option?
>
> A message to the world that there is no need to sign your zones,
> be
>What are the consequences of the authoritiative server returning
>synthesized unsigned NSEC3 RRs upon being signalled by the resolver
>using an EDNS option?
A message to the world that there is no need to sign your zones,
because we will solve your problems by magic. Please, let's not
go there.
draft-ietf-dnsop-nsec-aggressiveuse works for stopping random sub-domain
attacks for signed zones.
The problem exists for unsigned zones and different approaches have been
proposed:
- Bloom filtering queries (e.g. https://github.com/hdais/unbound-bloomfilter)
- Bloom filter bitfield in RRs (e.g.
