Re: [DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...

2017-01-04 Thread Mukund Sivaraman
On Wed, Jan 04, 2017 at 10:28:11AM -0800, Nicholas Weaver wrote: > An attacker in that position can just put in garbage, and you get > SERVFAIL instead of NXDOMAIN, regardless of whether the attacker has > compromised the key or not. A SERVFAIL is an erroneous condtion. An NXDOMAIN is not - it is

Re: [DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...

2017-01-04 Thread Mukund Sivaraman
Hi Nicholas On Wed, Jan 04, 2017 at 10:28:11AM -0800, Nicholas Weaver wrote: > > > On Jan 4, 2017, at 10:24 AM, Mukund Sivaraman wrote: > > > > Hi Nicholas > > > > On Wed, Jan 04, 2017 at 09:33:04AM -0800, Nicholas Weaver wrote: > >> This way, you can deploy this solution today

Re: [DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...

2017-01-04 Thread Nicholas Weaver
> On Jan 4, 2017, at 10:24 AM, Mukund Sivaraman wrote: > > Hi Nicholas > > On Wed, Jan 04, 2017 at 09:33:04AM -0800, Nicholas Weaver wrote: >> This way, you can deploy this solution today using white lies, and as >> resolvers are updated, this reduces the potential negative

Re: [DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...

2017-01-04 Thread Mukund Sivaraman
Hi Nicholas On Wed, Jan 04, 2017 at 09:33:04AM -0800, Nicholas Weaver wrote: > This way, you can deploy this solution today using white lies, and as > resolvers are updated, this reduces the potential negative consequence > of a key compromise to “attacker can only fake an NXDOMAIN”, allowing >

[DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...

2017-01-04 Thread Nicholas Weaver
Any system which prevents zone enumeration requires online signing, https://www.cs.bu.edu/~goldbe/papers/nsec5faq.html But NSEC5 is almost certainly not going to be adopted, simply because of the partial deployment problem. NSEC3 lies work today, but people worry that NSEC3 might have server

Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-refuse-any

2017-01-04 Thread Stephane Bortzmeyer
On Fri, Nov 25, 2016 at 07:50:48PM -0500, tjw ietf wrote a message of 114 lines which said: > This starts a Working Group Last Call for > draft-ietf-dnsop-refuse-any Since we'll apparently have one more iteration of the draft, one small detail. The draft says: > The