On Fri, Nov 25, 2016 at 07:50:48PM -0500,
tjw ietf wrote
a message of 114 lines which said:
> This starts a Working Group Last Call for
> draft-ietf-dnsop-refuse-any
Since we'll apparently have one more iteration of the draft, one small
detail. The draft says:
> The HINFO RRTYPE is believed
Any system which prevents zone enumeration requires online signing,
https://www.cs.bu.edu/~goldbe/papers/nsec5faq.html
But NSEC5 is almost certainly not going to be adopted, simply because of the
partial deployment problem.
NSEC3 lies work today, but people worry that NSEC3 might have server co
Hi Nicholas
On Wed, Jan 04, 2017 at 09:33:04AM -0800, Nicholas Weaver wrote:
> This way, you can deploy this solution today using white lies, and as
> resolvers are updated, this reduces the potential negative consequence
> of a key compromise to “attacker can only fake an NXDOMAIN”, allowing
> ev
> On Jan 4, 2017, at 10:24 AM, Mukund Sivaraman wrote:
>
> Hi Nicholas
>
> On Wed, Jan 04, 2017 at 09:33:04AM -0800, Nicholas Weaver wrote:
>> This way, you can deploy this solution today using white lies, and as
>> resolvers are updated, this reduces the potential negative consequence
>> of a
Hi Nicholas
On Wed, Jan 04, 2017 at 10:28:11AM -0800, Nicholas Weaver wrote:
>
> > On Jan 4, 2017, at 10:24 AM, Mukund Sivaraman wrote:
> >
> > Hi Nicholas
> >
> > On Wed, Jan 04, 2017 at 09:33:04AM -0800, Nicholas Weaver wrote:
> >> This way, you can deploy this solution today using white lie
On Wed, Jan 04, 2017 at 10:28:11AM -0800, Nicholas Weaver wrote:
> An attacker in that position can just put in garbage, and you get
> SERVFAIL instead of NXDOMAIN, regardless of whether the attacker has
> compromised the key or not.
A SERVFAIL is an erroneous condtion. An NXDOMAIN is not - it is
