* Mukund Sivaraman [2017-01-04 19:24]:
> Assume an attacker is able to spoof answers, which is where DNSSEC
> validation helps. If a ZSK is leaked, it becomes a problem only when an
> attacker is able to spoof answers (i.e., perform the attack).
>
> What you're saying is that with a special NSEC3-
On 4 Jan 2017, at 9:33, Nicholas Weaver wrote:
Any system which prevents zone enumeration requires online signing,
https://www.cs.bu.edu/~goldbe/papers/nsec5faq.html
That statement isn't really supported by the text on the page. Depending
on the zone, using pre-signed NSEC3 prevents varying a
* Paul Hoffman [2017-01-05 18:05]:
>> NSEC3 lies work today, but people worry that NSEC3 might have server
>> compromise compromise the ZSK.
>
> NSEC3 lies can also be created with pre-computing, but at a cost of
> greatly increasing the size of the zone.
NSEC/NSEC3 lies prevent enumeration effec
On 5 Jan 2017, at 11:27, Matthäus Wander wrote:
* Paul Hoffman [2017-01-05 18:05]:
NSEC3 lies work today, but people worry that NSEC3 might have server
compromise compromise the ZSK.
NSEC3 lies can also be created with pre-computing, but at a cost of
greatly increasing the size of the zone.
Paul Hoffman wrote on 2017-01-05 20:44:
>> A pre-computed chain does not provide the same benefit. It increases the
>> enumeration cost in terms of network queries (CPU time is of less
>> importance here because the collection process is network-bound except
>> for the very last few NSEC3 records)
All
Since we're having so much fun on adopting work, let's have another one.
We discussed this work in Seoul, and there was a solid hum on adopting
this work.
This starts a Call for Adoption for:
draft-wouters-sury-dnsop-algorithm-update
The draft is available here:
https://datatracker.ietf
On Wed, Jan 4, 2017 at 12:33 PM, Nicholas Weaver
wrote:
> Any system which prevents zone enumeration requires online signing,
> https://www.cs.bu.edu/~goldbe/papers/nsec5faq.html
>
> But NSEC5 is almost certainly not going to be adopted, simply because of
> the partial deployment problem.
>
> NSE
On Sun, Nov 27, 2016 at 6:10 AM Mukund Sivaraman wrote:
> Hi Warren
>
> On Mon, Nov 14, 2016 at 02:05:31PM +0900, Warren Kumari wrote:
> > Hi all,
> >
> > I have just submitted "Stretching DNS TTLs"
> > (draft-wkumari-dnsop-ttl-stretching-00).
> >
> > The very high level overview is:
> > If you a
