Briefly, the answer is, the NXDOMAIN response could be replayed by a man-in-the-middle attacker. We need to have something to sign, something specific to that query. If we just return the zone's SOA record and its signature, we're still subject to a replay attack. So we need to prove the negative, and that happens by enumerating all the possible positive answers "near" the query.
Regards, Chris Buxton BlueCat Networks On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote: > Dear Team, > > We have a Authenticated Response in DNSSEC through trust chain. > Now my question is why we itself need a NSEC when we get response from DNSSEC > enabled server authentically. > > Means, if a Record exist in DNSSEC, then it replies the answer along with > RRSIG of that RR. > AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job > will be done as we trust that nameserver through trust chain. > So what’s the need of NSEC?????? > > Thanks n Regards, > GAURAV KANSAL > 9910118448 > VoIP - 6259 > Operation And Routing Unit > NIC , NEW DELHI > > Please don't print this e-mail until & unless you really need, it will save > Trees on Planet Earth. > IPv4 is Over, > Are your ready for new Network. > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
