[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: dnssec@cafax.se
Cc: Edward Lewis <lewis@tislabs.com>
From: Edward Lewis <lewis@tislabs.com>
Date: Thu, 14 Jun 2001 17:00:52 -0400
Delivery-Date: Fri Jun 15 07:56:14 2001
In-Reply-To: <200106140740.f5E7epu32801@bartok.sidn.nl>
Sender: owner-dnssec@cafax.se
Subject: Re: Verisign's opt-in twist

It's still there - non-existing has no records in the answer section and
NXDOMAIN, unsecured has an NS set and NOERROR.  'Course that assumes no one
is attacking.

Versus the current (unsecured) DNS, this proposal "does no harm."  Versus
having all names in the NXT chain, it is possible to spoof an unsecured
zone as nonexistent.  Yes, this weakens the security to some extent, but I
don't believe that it is significant.

If an unsecured zone is recognized as existing but said to be unsecured (in
NXT and has NULL KEY), an attacker could still just hijack the zone more
directly by  spoofing as one of the real name servers (dnsiff).  If this
new proposal is adopted, all the attacker would be doing is altering the
RCODE and removing the NS set.

I think the benefit of this proposal is that it reduces the cost of
carrying unsecured delegations, obviating the need for opt-in.  This will
also ease the way for DNSSEC in large zones - in particular com.
Additionally, the means used  easily scale downward to smaller zones - so
com is not a special case.  No special case means simpler resolver code.

I do think the ability to hide other data from NXT (as suggested by Roy)
may be undesired, however.  I could see administrators abusing this - but
then again "it's their perogative" to remain unsecure (in certain cases).
I think this is a point to debate.  (I.e., the rules governing NXT might
exclude *only* unsecured delegations - or be opened to more records.)  (One
type of data here might be email certificates in DNS.)

At 3:40 AM -0400 6/14/01, Jaap Akkerhuis wrote:
>
>    The rationale is that unsecured zones are just as at risk as they are now.
>    The upside is that there are no wasted cycles generating NXT's and KEY's
>    for them.
>
>That might true, but it does change the semantics of the NXT record.
>But as far as I understand, the difference between an unsecured
>zone and a non-existing zone is gone.
>
>	jaap


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.



Home | Date list | Subject list