[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dnssec-updates text, include SOA in negative answers

To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: dnssec-updates text, include SOA in negative answers
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 28 Nov 2007 17:09:07 +0100
Cc: Namedroppers <namedroppers@ops.ietf.org>
In-reply-to: <a06230900c373357fe413@[192.168.1.101]>
References: <474D5989.7000405@nlnetlabs.nl> <a06230900c3731f7bedc1@[192.168.1.101]> <474D7FF6.5030005@nlnetlabs.nl> <a06230900c373357fe413@[192.168.1.101]>
User-agent: Thunderbird 2.0.0.9 (X11/20071115)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Lewis wrote:
> So - would you consider instead a recommendation to not include NS
> records in a negative answer (as opposed to adding the SOA)?

Yes that would be fine. And I agree that less bits is better.

Since that SOA record was only used to give a TTL for the negative
caching, and the NSEC/NSEC3 records also have this TTL anyways; I see
the opportunity to remove that SOA+signature from many more messages ;)
But that digresses from the topic of this thread.

> I don't agree - if the signature fails, the record (set) is garbage if
> you care about security.  Well, I mean, if you get an NSEC* with a bad
> sig it is useless.  If you get one with a good sig but then the bit map
> doesn't make sense, then I'd still guess it is garbage, spindulated (I
> made that word up) in some botched zone update/cache issue or maybe a
> calculated to confuse attack.
> 
> (Maybe I am missing the point here.)

I agree that a bad sig makes the rrset bogus. I meant to say that part
of proving certain statements with NSECs consists of checking if the
proper NSECs are present, checking if the NSECs indicate the presence of
particular types, and so on. The outcome of these checks, taken together
with the proof question, result in a security status. The security
status is not determinable without determining as well whether the
message is a referral or a negative (or something else).

> I see your paranoia medication isn't working. ;)
> 
> DNSSEC doesn't guarantee that the data is correct, just that it came
> cleanly.  So there will be many times you validate the wrong IP
> address.  All DNSSEC does is make it possible to place blame on the poor
> zone admin who will probably be busy preparing a resume, in the old
> days, he would have been pointing a finger to the host admin. ;)

:-)

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHTZKjkDLqNwOhpPgRAku4AJ9gyT2NwARLo8sknxjqp9mGF8mCzgCfbwHu
smrCzaubqOrNPBvsUGV4eUM=
=vouB
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: dnssec-updates text, include SOA in negative answers
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

References:
- dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
- Re: dnssec-updates text, include SOA in negative answers
  - From: Edward Lewis <Ed.Lewis@neustar.biz>
- Re: dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
- Re: dnssec-updates text, include SOA in negative answers
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

Prev by Date: Re: dnssec-updates text, include SOA in negative answers
Next by Date: Re: dnssec-updates text, include SOA in negative answers
Previous by thread: Re: dnssec-updates text, include SOA in negative answers
Next by thread: Re: dnssec-updates text, include SOA in negative answers
Index(es):
- Date
- Thread