* Evan Hunt [2017-02-24 00:24]:
> I'd like to start a discussion of that now. Does anyone have a problem
> with the idea of clarifying the protocol here, saying that the order of
> records in the answer section of a chaining response is significant, and in
> particular, that a DNAME MUST precede t
Paul Hoffman wrote on 2017-01-05 20:44:
>> A pre-computed chain does not provide the same benefit. It increases the
>> enumeration cost in terms of network queries (CPU time is of less
>> importance here because the collection process is network-bound except
>> for the very last few NSEC3 records)
* Paul Hoffman [2017-01-05 18:05]:
>> NSEC3 lies work today, but people worry that NSEC3 might have server
>> compromise compromise the ZSK.
>
> NSEC3 lies can also be created with pre-computing, but at a cost of
> greatly increasing the size of the zone.
NSEC/NSEC3 lies prevent enumeration effec
* Mukund Sivaraman [2017-01-04 19:24]:
> Assume an attacker is able to spoof answers, which is where DNSSEC
> validation helps. If a ZSK is leaked, it becomes a problem only when an
> attacker is able to spoof answers (i.e., perform the attack).
>
> What you're saying is that with a special NSEC3-
Paul Hoffman wrote on 2016-01-23 21:47:
> On 22 Jan 2016, at 14:44, Wessels, Duane wrote:
>
>> I think I'm okay with "resolvers SHOULD send DO when priming." Seems
>> like BIND and Unbound already do this.
>
> Noted. Waiting to hear from a bunch more people on this.
No objection.
>> Do we also
* Paul Hoffman [2015-03-24 13:57]:
> On Mar 23, 2015, at 6:23 PM, Jan Včelák wrote:
>>> - The statement about NSEC3 "offline dictionary attacks are still possible
>>> and have been demonstrated" doesn't take into account trivial changes that
>>> an operator can choose to take if they are really
* Paul Vixie [2014-07-06 19:29]:
> Matthäus Wander wrote:
>> * Paul Vixie [7/5/2014 7:47 PM]:
>>> Matthäus Wander wrote:
>>>> DTLS works on top of UDP (among others) and thus can pass CPE devices.
>>> no, it cannot. DTLS does not look something that the CP
* Paul Vixie [7/5/2014 7:47 PM]:
> Matthäus Wander wrote:
>> DTLS works on top of UDP (among others) and thus can pass CPE devices.
>
> no, it cannot. DTLS does not look something that the CPE was programmed
> to accept; thus in many cases it is silently dropped.
>
DTLS
* Paul Vixie [7/5/2014 5:04 AM]:
> datagram level channel secrecy (for example, DTLS or IPSEC) offers a
> solution which matches the existing datagram level UDP transport used
> primarily by DNS. however, the all-pervasive middleboxes (small plastic
> CPE devices installed by the hundreds of millio
Hi,
Section 4:
>If the resolver was
>configured with a weak trust anchor and got nothing after sending a
>request with DO bit set, then it should clear DO bit in the EDNS0 in
>the query message and query again to the authoritative name server.
>So it could receive a normal DNS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
* Bill Woodcock [2014-03-27 23:54]:
>
> On Mar 27, 2014, at 10:14 AM, Matthäus Wander
> wrote:
>> Here's a small statistic about RSA key lengths of 741,552 signed
>> second-level domains (collected on 2014-01-27
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
* Nicholas Weaver [2014-03-27 14:56]:
> So why are both root and com and org and, well, just about
> everyone else using 1024b keys for the actual signing?
Here's a small statistic about RSA key lengths of 741,552 signed
second-level domains (collecte
* Tony Finch [2014-02-13 21:56]:
> There was some discussion last month about dispersing trust in the root.
> http://www.ietf.org/mail-archive/web/dnsop/current/msg10977.html
>
> This inspired me to write up a concrete proposal for the
> quorum-of-witnesses idea that I have vaguely suggested sever
* Tony Finch [2013-09-30 13:41]:
> I've just done a rough deliverability test to postmaster@TLD for the TLDs
> with MX records. This just checks that the RCPT TO command is accepted.
> The results show that even if your site will let you send mail to these
> domains, it still mostly won't work.
>
14 matches
Mail list logo
