[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal to fix NSEC

To: namedroppers@ops.ietf.org
Subject: Re: Proposal to fix NSEC
From: Chris Thompson <cet1@cus.cam.ac.uk>
Date: Tue, 1 Jun 2004 12:11:10 +0100 (BST)
In-reply-to: <40BC5BCC.4040500@algroup.co.uk> from "Ben Laurie" at Jun 1, 4 11:34:52 am

ben@algroup.co.uk (Ben Laurie) writes:
[...]
> I actually am still of the view that if nameservers suddenly started 
> returning NSEC2 instead of NSEC things would work as desired: namely old 
> resolvers would suddenly get protocol errors instead of NXDOMAIN, and 
> new resolvers would just work.
> 
> If this causes bad things to happen, then DNSSECbis is already broken, 
> since an attacker can clearly cause NSEC records to be corrupt.

Define "bad". DNSSEC has never been proof against DoS attacks that make 
it unable to answer questions (as opposed to answer them incorrectly).
That doesn't mean that a protocol change that would simulate the effect
of a DoS attack would be a desirable thing to advocate.

Chris Thompson
Email: cet1@cam.ac.uk

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: Proposal to fix NSEC
  - From: Ben Laurie <ben@algroup.co.uk>

References:
- Re: Proposal to fix NSEC
  - From: Ben Laurie <ben@algroup.co.uk>

Prev by Date: Re: NSEC+ and NO
Next by Date: question about "what is a legal name?"
Previous by thread: Re: Proposal to fix NSEC
Next by thread: Re: Proposal to fix NSEC
Index(es):
- Date
- Thread