Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)

[Roy Badami <roy@gnomon.org.uk>]

>>>>> "Edward" == Edward Lewis <edlewis@arin.net> writes:

    Edward> Assume a signed child, with such a clause I can reply with
    Edward> an alternate set of name servers and a non-material (but
    Edward> still signed) NSEC(v2) record.  I can make it look like
    Edward> the child is unsigned while still passing all of the
    Edward> security checks.

I'm not sure you can reply with an alternate set of name servers,
since the NS RRset still won't have the right signature.  But you can
certainly respond without a DS record, and with an irrelevent NSEC(v2)
record, and fool an NSEC(v1) resolver into believing the child zone is
unsigned.

I did propose a solution to that; namely a null DS record.  I'm not
sure a versioned NSEC record is much use without a solution to this
problem.

      -roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>