[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal to fix NSEC

To: namedroppers@ops.ietf.org
Subject: Re: Proposal to fix NSEC
From: Paul Vixie <paul@vix.com>
Date: Tue, 01 Jun 2004 14:20:46 +0000
In-reply-to: Message from Ben Laurie <ben@algroup.co.uk> of "Tue, 01 Jun 2004 11:34:52 +0100." <40BC5BCC.4040500@algroup.co.uk>

> ...
> If we follow this path, it still leaves two options open at this stage,
> AFAICS:
> ...
> b) Assume that NSEC2 will somehow find a way within the DNSSECbis docset to
> migrate without change to DNSSECbis.

i'm writing up a proposal to this effect in the xterm next to this one.

> I actually am still of the view that if nameservers suddenly started
> returning NSEC2 instead of NSEC things would work as desired: namely old
> resolvers would suddenly get protocol errors instead of NXDOMAIN, and new
> resolvers would just work.

that would be a downgrade attack, launched by a zone owner against herself,
and would only be of interest to zone owners who had not previously
implemented dnssec-bis.  let's do better.  i know several ways to do better.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: Proposal to fix NSEC
  - From: Ben Laurie <ben@algroup.co.uk>

Prev by Date: RE: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
Next by Date: Re: NSEC version field (Re: NSEC2- and an Authenticated Denial M echanism Flag)
Previous by thread: Re: Proposal to fix NSEC
Next by thread: Re: Proposal to fix NSEC
Index(es):
- Date
- Thread