[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)

To: Roy Badami <roy@gnomon.org.uk>
Subject: Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
From: Edward Lewis <edlewis@arin.net>
Date: Thu, 27 May 2004 16:09:42 -0400
Cc: Paul Vixie <paul@vix.com>, namedroppers@ops.ietf.org
In-reply-to: <16566.14967.104462.921988@giles.gnomon.org.uk>
References: <roy@gnomon.org.uk> <16565.45956.205803.87821@giles.gnomon.org.uk> <20040527181920.660CE13DED@sa.vix.com> <16566.14967.104462.921988@giles.gnomon.org.uk>

At 19:59 +0100 5/27/04, Roy Badami wrote:

"Paul" == Paul Vixie <paul@vix.com> writes:
    >> ...  I am assuming that DNSSECbis is modified so NSEC RRs
    >> contain a version field, which is set to 1 (say).
Paul> please don't do this.

Sorry, perhaps I should have said:
    "I am assuming, for sake of discussion of the proposal, that the
    NSEC record is versioned, as proposed in this thread"
I didn't mean to imply anything in a wider context.

-roy

I have my doubts that versioning NSEC is possible.

Let's say that we put in the current documents:

"When descending from a parent to a child, assume a verifier sees neither a DS RR nor a NSEC(v1) RR denying a DS RR and instead sees an NSEC(v2) in the authority section. In this case the verifier is to assume that a new style of authenticated denial is in use and therefore assume the child is unsigned."

Assuming that the NSEC(v2) passes signature validation, how does the NSEC(v1)-era validator confirm that the right NSEC(v2) is there? How do you detect an insertion error - that an eavesdropper didn't replay a non-material NSEC(v2) to deny secure access to that zone?

Assume a signed child, with such a clause I can reply with an alternate set of name servers and a non-material (but still signed) NSEC(v2) record. I can make it look like the child is unsigned while still passing all of the security checks.

It seems to me that you'd have to turn off DNSSEC processing and restart for the next version once everyone has cleared out the old verifiers.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                            +1-703-227-9854
ARIN Research Engineer

Even the voices inside my head are refusing to talk to me anymore.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: roy@dnss.ec
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Roy Badami <roy@gnomon.org.uk>

References:
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Roy Badami <roy@gnomon.org.uk>
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Paul Vixie <paul@vix.com>
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Roy Badami <roy@gnomon.org.uk>

Prev by Date: Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
Next by Date: Re: Confirming the Nominet position
Previous by thread: Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
Next by thread: Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
Index(es):
- Date
- Thread