[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-07.txt
In message <49379D93.3010700@NLnetLabs.nl>, Jelte Jansen writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark Andrews wrote:
> >
> > The only reason to have different numbers is if the wg
> > believes that there will be DNSSEC implementations in the
> > future that will not support NSEC3.
>
>
> > Given that a number
> > of TLD's intend to deploy NSEC3 I can't see any new
> > implementation not including NSEC3 support.
> >
>
> me neither, but tell it to the chairs, they made me ;)
>
> Apparently it has already been decided that there will be validators
> that do not do nsec3, even if they cannot validate much of the internet...
>
> But actually, there was a better reason to use algorithm number
> signaling imho. I think Sam pointed me to that. That is that there are
> no other nsec-type-signaling mechanisms, so until you actualy get NSEC
> or NSEC3 records as a validator, you don't know what you are supposed to
> get, opening you up for downgrade attacks if either NSEC or NSEC3 turns
> out to contain an attackable problem.
It doesn't matter. A answer will contain one or the other
but not both for a given zone. There is no downgrade attack.
I can return NSEC or NSEC3 records with algorithm 7 today.
Mark
> Jelte
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkk3nZMACgkQ4nZCKsdOncVzzQCfSrOOXZlXEpUUlLrkFcHkTzr/
> JT0AoLG9qmCrv5/bpRFtVGN267gjjPcb
> =5PjV
> -----END PGP SIGNATURE-----
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>