[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)

To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Subject: RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
From: Edward Lewis <edlewis@arin.net>
Date: Fri, 28 May 2004 18:06:34 -0400
Cc: "'David Blacka'" <davidb@verisignlabs.com>, namedroppers@ops.ietf.org
In-reply-to: <C6DDA43B91BFDA49AA2F1E473732113E5DBD37@mou1wnexm05.vcorp.ad.vrsn.com>
References: <C6DDA43B91BFDA49AA2F1E473732113E5DBD37@mou1wnexm05.vcorp.ad.vrsn.com>

At 12:41 -0700 5/28/04, Hallam-Baker, Phillip wrote:

Could we maybe as a compromise agree now that the only difference
between v1 and v2 will be that in v2 a new versioned NSEC
record would be used?

I don't think there's been an agreement that there ought to be an answer to zone enumeration. I've been analyzing the possibility of 1) allowing there to be a way forward and 2) adoption of the NSEC2 proposal in case we decided this is to be pursued.

I'm not convinced that we need to defend against zone enumeration. I'm all for providing this if it were easy to accomplish.

I have yet to see a way to provide a seamless way to convert from NSEC to another approach to authenticated denial (for any purpose). (Hmmm, perhaps detailing what happens if the NSEC claims that it itself doesn't exist - but that's been tried before and failed.)

I think that the NSEC2 is capable of obfuscating the zone's contents, but can do so only at a greater cost. This cost can be gamed by the client and has the potential to be rather high.

I'd put my opinions this way - if providing a way forward were easy and/or if providing obfuscation was cheap to do, I'd be for it. But from the work I've done, the costs to do either seem to be rather high, meaning that there has to be a lot of need to provide them.

We write a new short note that says that the V2 identifier is
reserved for servers that support NSEC-V, the versioned variant
of NSEC.

What is the V2 identifier?

Worst case this would mean that we burn a version identifier.

There's no version identifier in the current definition of DNSSECbis, one of the premises was to this proposal was that there would be no need to change the documents.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                            +1-703-227-9854
ARIN Research Engineer

Even the voices inside my head are refusing to talk to me anymore.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
  - From: Ben Laurie <ben@algroup.co.uk>
- RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
  - From: Roy Badami <roy@gnomon.org.uk>
- planned obsolescence, and another TCR
  - From: Paul Vixie <paul@vix.com>

References:
- RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
  - From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
Next by Date: RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
Previous by thread: RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
Next by thread: planned obsolescence, and another TCR
Index(es):
- Date
- Thread