[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNSOP] Re: NSEC++ (Was: Re: DNSEXT Minutes @ IETF-63)

To: Dean Anderson <dean@av8.net>
Subject: Re: [DNSOP] Re: NSEC++ (Was: Re: DNSEXT Minutes @ IETF-63)
From: Joe Abley <jabley@ca.afilias.info>
Date: Fri, 9 Nov 2007 11:39:38 -0500
Cc: Mark Andrews <Mark_Andrews@isc.org>, namedroppers@ops.ietf.org, iesg@ietf.org
In-reply-to: <Pine.LNX.4.44.0711082323170.24644-100000@citation2.av8.net>
References: <Pine.LNX.4.44.0711082323170.24644-100000@citation2.av8.net>


On 8-Nov-2007, at 23:36, Dean Anderson wrote:

NSEC3 is meant to protect against disclosure of DNS data (a topic
discussed).

I don't think so. NSEC3 is intended to prevent enumeration of theresource records in a zone by a remote third party. That's not thesame thing.

For example, even if a zone contained NSEC3 records, it's stillperfectly possible for DNS data to be disclosed to parties who are notthe originator of a client query (e.g. through traffic intercept,query logs on intermediate caches, etc.)



Joe


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: NSEC++ (Was: Re: DNSEXT Minutes @ IETF-63)
  - From: Dean Anderson <dean@av8.net>

Prev by Date: Re: NSEC++ (Was: Re: DNSEXT Minutes @ IETF-63)
Next by Date: draft-ietf-dnsext-forgery-resilience-01.txt
Previous by thread: Re: NSEC++ (Was: Re: DNSEXT Minutes @ IETF-63)
Next by thread: Re: NSEC++ (Was: Re: DNSEXT Minutes @ IETF-63)
Index(es):
- Date
- Thread