At Mon, 25 Apr 2016 21:39:32 +0200, Stephane Bortzmeyer <bortzme...@nic.fr> wrote:
> Stephane Bortzmeyer <bortzme...@nic.fr> wrote > a message of 17 lines which said: > > > > Title : NXDOMAIN really means there is nothing > > > underneath > > > Authors : Stephane Bortzmeyer > > > Shumon Huque > > > Filename : draft-ietf-dnsop-nxdomain-cut-02.txt > > > > We believe it implements all the changes that were on the slides at > > the Buenos Aires meeting and that it addresses all the remarks we got > > (and even a few more). > > It seems everyone was tired after Buenos-Aires. Come on, you certainly > have something to say, positive or negative, about this draft. I've just read the very latest version (03) of the draft. It looks good to me. I'd even support it if there were now a WG last call. I've noticed a couple of minor points in this iteration of read. You may or may not want to address it in a subsequent version: - Section 2 If the NXDOMAIN response due to a cached non-existence is from a DNSSEC signed zone, then it will have accompanying NSEC or NSEC3 records that authenticate the non-existence of the name. [...] The behavior described in this section is one form of [I-D.fujiwara-dnsop-nsec-aggressiveuse]. You might note this point, referring to the I-D (and maybe also referring to Appendix B). - Section 3 "NXDOMAIN cut" may also help mitigate certain types of random QNAME attacks [joost-dnsterror] [balakrichenan-dafa888], where there is a fixed suffix which does not exist. This is true, but I suspect it would be pretty easy for this type of attacker to circumvent the effect if and when the nxdomain-cut behavior is more widely deployed. An attacker for the '.wf' zone would simply send random junk query <random>.wf instead of <random>.dafa888.wf. So I think the mitigation effect in this sense is quite limited. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop