Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-15 Thread Paul Vixie
> Nicholas Weaver > Sunday, March 15, 2015 4:44 AM >> On Mar 13, 2015, at 7:59 PM, Paul Vixie wrote: > >>> Nicholas Weaver Saturday, March 14, 2015 5:07 AM >>> ... Overall, unless you are validating on the end host rather than the recur

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-15 Thread Mark Andrews
In message <5505337b.9030...@redbarn.org>, Paul Vixie writes: > what matters for DNSSEC is the end-to-end case. as long as comcast is > running DNSSEC-aware resolvers, they don't need to validate anything in > order to make DNSSEC applications like DANE workable for their > customers. and i'd rath

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-15 Thread Ted Lemon
On Mar 15, 2015, at 6:14 AM, Mark Andrews wrote: > Can we kill this myth that recursive servers do not need to validate > because they do need to validate for DNSSEC to work reliably. DNSSEC > only work without validation in the middle if no one is spoofing, dropping > RRSIGs etc. The moment the

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-15 Thread David Conrad
Hi, >> "DNS is insecure, live with it" may be the best answer. Why keep throwing >> good effort after bad? > it's not, though, the best answer. we have to secure the DNS resolution path. Probably a terminology issue, but I think we need to secure the data, not the resolution path. I'm not a pa

Re: [DNSOP] Comments regarding the NSEC5

2015-03-15 Thread Ondřej Surý
JFTR I don't think the target audience is TLDs, but I have heard a several times speaking to me that they won't implement DNSSEC because of enumeration (citing djb's paper on NSEC3 offline enumeration). Those folks are the target audience for the cryptographically proven anti-enumeration soluti

Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5

2015-03-15 Thread Ondřej Surý
JFTR .cz was asked by "The Office for Personal Data Protection" to implement measures to protect the personal data for domain holders. NSEC3 was part of the solution. O. -- Ondřej Surý -- Chief Science Officer CZ.NIC, z.s.p.o.-- Laboratoř

Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5

2015-03-15 Thread Patrik Fältström
> On 15 mar 2015, at 17:30, Ondřej Surý wrote: > > JFTR .cz was asked by "The Office for Personal Data Protection" to implement > measures to protect the personal data for domain holders. NSEC3 was part of > the solution. Can you explain more how that was part of the solution? Patrik

Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5

2015-03-15 Thread Ondřej Surý
This is really vague memory of it, but the main problem was that NSEC enumeration with public whois allowed data scraping. Thus whois rate limiting, implementation of "hide-this" flags and NSEC3 was deployed to prevent majority of it. Some limits were also implemented in the registry to preven

Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5

2015-03-15 Thread Patrik Fältström
> On 15 mar 2015, at 21:19, Ondřej Surý wrote: > > This is really vague memory of it, but the main problem was that NSEC > enumeration with public whois allowed data scraping. Ok, but the real problem was then that all registered domain names where also delegated? Together with all data exist