[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)

To: Edward Lewis <edlewis@arin.net>
Subject: Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
From: roy@dnss.ec
Date: Fri, 28 May 2004 10:47:51 +0200 (CEST)
Cc: Roy Badami <roy@gnomon.org.uk>, Paul Vixie <paul@vix.com>, namedroppers@ops.ietf.org
In-reply-to: <a06020412bcdbf721e5e8@[192.168.1.100]>
References: <roy@gnomon.org.uk> <16565.45956.205803.87821@giles.gnomon.org.uk> <20040527181920.660CE13DED@sa.vix.com> <16566.14967.104462.921988@giles.gnomon.org.uk> <a06020412bcdbf721e5e8@[192.168.1.100]>

Ed, Paul,

This 'downgrade attack' is FUD (technically its there, but its a
non-issue). How would we EVER use a new signing algorithm, currently not
in use, if the downgrade attack would be a problem ?

Unless folk upgrade V1 (nsec) resolvers to V2 (nsec2), they see V2 zones
as unsigned.

My point is:

V2 zones do not yet exist. Would-be V2 zones are unsigned now. When V2
zones exist, they will still be unsigned to V1 resolvers. Eventually V1
resolvers will upgrade to V2 resolvers.

Part of the upgrade curve.

What exactly is the problem ?

As an analogy.

DNSSEC zones do not yet exist. Would-be DNSSEC zones are unsigned now.
When DNSSEC zones exist, they will still be unsigned to LEGACY resolvers.
Eventually LEGACY resolvers will upgrade to DNSSEC resolvers.

Part of the upgrade curve.

Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Roy Badami <roy@gnomon.org.uk>
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Paul Vixie <paul@vix.com>
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Edward Lewis <edlewis@arin.net>

References:
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Roy Badami <roy@gnomon.org.uk>
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Paul Vixie <paul@vix.com>
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Roy Badami <roy@gnomon.org.uk>
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
  - From: Edward Lewis <edlewis@arin.net>

Prev by Date: Re: Confirming the Nominet position
Next by Date: Re: NSEC2- and an Authenticated Denial Mechanism Flag
Previous by thread: Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
Next by thread: Re: NSEC version field (Re: NSEC2- and an Authenticated Denial Mechanism Flag)
Index(es):
- Date
- Thread