[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSEC+ and NO

To: namedroppers@ops.ietf.org
Subject: Re: NSEC+ and NO
From: Paul Vixie <paul@vix.com>
Date: Wed, 26 May 2004 14:03:41 +0000
In-reply-to: Message from Peter Koch <pk@TechFak.Uni-Bielefeld.DE> of "Wed, 26 May 2004 09:42:49 +0200." <200405260742.i4Q7goh25164@grimsvotn.TechFak.Uni-Bielefeld.DE>

> "NSEC" walking would usually not be done with explicit queries for NSEC RRs
> (because that's too easy to answer with REFUSED, since there's probably no
> need for those queries) ...

actually i was planning on using ANY queries starting at @, the answers to
which would include NSEC.  that way i can gather all the data in the same
pass where i gather all the names.

in the scenario, booby traps would be quite effective.

the trouble with booby traps is, since udp source addresses are spoofworthy,
it would possible to make an authority server generate and hold a huge amount
of state just by forging a boobytrap-o-gram from a zillion different addresses.
if there's a quota, you can make them overrun it, thus making room for your
real zonewalk queries.  if there's no quota, you can make them run out of
state-memory.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: NSEC+ and NO
  - From: Peter Koch <pk@TechFak.Uni-Bielefeld.DE>

Prev by Date: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
Next by Date: Re: NSEC+ and NO
Previous by thread: Re: NSEC+ and NO
Next by thread: Re: NSEC+ and NO
Index(es):
- Date
- Thread