Re: [DNSOP] Fw: New Version Notification for draft-zuo-dnsop-delegation-confirmation-00.txt
On Tue, 2 Jan 2024 at 07:34, zuop...@cnnic.cn wrote: >8 > This draft suggests a lightweight and backward-compatible mechanism to > mitigate the risk of these attacks. > > Any comments are welcome! > The proposal contains internal inconsistencies and contradictions which need to be addressed: 4.2. Responding to a request DDC request option should be responded by a DDC-aware authoritative server. For a DDC-not-aware server, the presence of a DDC request option is ignored and the server responds as if no DDC request option had been included in the request. 4.3. Processing Responses If the client(usually a Recursive server) is expecting the response to contain a DDC respond option and it is missing, the response MUST be discarded. The client has no way of knowing in advance if the server is DDC-aware. Considering 4.2, merely sending a DDC request does not create any reliable expectation that there will be a corresponding DDC response. Regarding the processing of the DNS delegation respond option by a recursive server, there are 4 possibilities: (1) The client is expecting the response to contain a DDC respond option and it is missing. In this case, the client processes the response as normal and does not implement DNS delegation confirmation. This contradicts the MUST in the opening paragraph of 4.3 --rwf ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Followup Working Group Last Call for draft-ietf-dnsop-dnssec-bootstrapping
It appears that Tim Wicinski said: >For WGLC, we need positive support and constructive comments; lack of >objection is not enough. >So if you think this draft should be published as an RFC, please say so. I think we should publish it, but I also think we should publish the NOTIFY draft at the same time so we don't have yet another thing that requires DNS scanning. R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Fw: New Version Notification for draft-zuo-dnsop-delegation-confirmation-00.txt
Subject: [DNSOP] Fw: New Version Notification for draft-zuo-dnsop-delegation-confirmation-00.txt Date: Tue, Jan 02, 2024 at 03:35:03PM +0800 Quoting zuop...@cnnic.cn (zuop...@cnnic.cn): > Hi all, > We submitted a draft about DNS delegation confirmation. In the > current DNS delegation mechanism, a delegated zone/child zone can specify any > NS records at the zone apex without requiring confirmation from the zone > maintaining Glue records of these NS record. This could be exploited to lunch > new types of attacks such as NXNSattack. This draft suggests a > lightweight and backward-compatible mechanism to mitigate the risk of these > attacks. DNSSEC solves most of this, as other replies have concluded. Effort should be directed towards deployment of existing solutions. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 The SAME WAVE keeps coming in and COLLAPSING like a rayon MUU-MUU ... signature.asc Description: PGP signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop