To:
Roy Arends <Roy.Arends@nominum.com>
Cc:
Mark Kosters <markk@netsol.com>, <dnssec@cafax.se>, <namedroppers@ops.ietf.org>, Roy Arends <Roy.Arends@nominum.com>
From:
Edward Lewis <lewis@tislabs.com>
Date:
Wed, 4 Jul 2001 08:53:52 -0400
In-Reply-To:
<Pine.BSF.4.33.0107040256460.8709-100000@node10c4d.a2000.nl>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Ideas on opt-in, was Re: I-DACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
At 10:46 PM -0400 7/3/01, Roy Arends wrote: > > 1 and 2 indicate signed delegations. > 3 indicates an unsigned delegation. > 4 is of "NXDOMAIN". neither label nor type does exist in this zone. > 5 is an authoritative response with a signed RRset in ANSWER. > 6 is of "NO DATA". Label exists, but type does not exist in this zone. > 7 is an authoritative response with an unsigned RRset in ANSWER. >Conclusion: >----------- > If the receiving secure resolver does not know whether the zone was > partially signed or fully signed, while a zone was fully signed (aka > rfc2535-style), responses like 3 and 7 are spoofed. It is necessary for > the resolver to know how to interpret the NXT record. Responses 3 and 7 are open to spoofing. But this isn't any worse than not using DNSSEC at all. In the case for #3, if the parent is unsigned (as it is today), then the zone is spoofed. When the parent is signed and indicates that the delegation exists, albeit unsecured, spoofing this is hard (/impossible). However, the contents of the zone are spoofable, as well as the NS set given as hints. (Without TSIG, the NS set could simply be modified to pollute caches.) The only loss in this twist is that it is harder to prove a delegation should exist. But with or without the twist, you aren't guaranteed any data returned. In the case for #7, the comparison is much simpler. With opt-in and exclusion from the NXT chain, the parent is considered unsecured for this record set. When included, the zone is secured as far as the record set is concerned. Whether this will confuse the resolver, I think that's a yes. But then again, the resolver (in 9.1.3.rc2) didn't seem to understand sig@parent (unless we screwed up some other part of the workshop set up). -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.