To:
dnssec@cafax.se
Cc:
Edward Lewis <lewis@tislabs.com>
From:
Edward Lewis <lewis@tislabs.com>
Date:
Thu, 14 Jun 2001 17:00:52 -0400
Delivery-Date:
Fri Jun 15 07:56:14 2001
In-Reply-To:
<200106140740.f5E7epu32801@bartok.sidn.nl>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Verisign's opt-in twist
It's still there - non-existing has no records in the answer section and NXDOMAIN, unsecured has an NS set and NOERROR. 'Course that assumes no one is attacking. Versus the current (unsecured) DNS, this proposal "does no harm." Versus having all names in the NXT chain, it is possible to spoof an unsecured zone as nonexistent. Yes, this weakens the security to some extent, but I don't believe that it is significant. If an unsecured zone is recognized as existing but said to be unsecured (in NXT and has NULL KEY), an attacker could still just hijack the zone more directly by spoofing as one of the real name servers (dnsiff). If this new proposal is adopted, all the attacker would be doing is altering the RCODE and removing the NS set. I think the benefit of this proposal is that it reduces the cost of carrying unsecured delegations, obviating the need for opt-in. This will also ease the way for DNSSEC in large zones - in particular com. Additionally, the means used easily scale downward to smaller zones - so com is not a special case. No special case means simpler resolver code. I do think the ability to hide other data from NXT (as suggested by Roy) may be undesired, however. I could see administrators abusing this - but then again "it's their perogative" to remain unsecure (in certain cases). I think this is a point to debate. (I.e., the rules governing NXT might exclude *only* unsecured delegations - or be opened to more records.) (One type of data here might be email certificates in DNS.) At 3:40 AM -0400 6/14/01, Jaap Akkerhuis wrote: > > The rationale is that unsecured zones are just as at risk as they are now. > The upside is that there are no wasted cycles generating NXT's and KEY's > for them. > >That might true, but it does change the semantics of the NXT record. >But as far as I understand, the difference between an unsecured >zone and a non-existing zone is gone. > > jaap -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.