Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-21 Thread Mukund Sivaraman
On Fri, Jul 21, 2017 at 10:24:35AM +0200, Petr Špaček wrote: > On 19.7.2017 10:50, Francis Dupont wrote: > > In your previous mail you wrote: > > > >> NSEC needs no keys, only their RRSIGs would which wouldn't exist in > >> unsigned zones. In this case the unsigned NSEC would also not be part

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-21 Thread Petr Špaček
On 19.7.2017 10:50, Francis Dupont wrote: > In your previous mail you wrote: > >> NSEC needs no keys, only their RRSIGs would which wouldn't exist in >> unsigned zones. In this case the unsigned NSEC would also not be part of >> the zone (it would have to be synthesized and maintained outside

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-20 Thread Stephane Bortzmeyer
On Tue, Jul 18, 2017 at 06:20:56PM +0530, Mukund Sivaraman wrote a message of 27 lines which said: > It is to put draft-ietf-dnsop-nsec-aggressiveuse to use with unsigned > zones. That's quite funny. During the development of RFC 8020 (draft-ietf-dnsop-nxdomain-cut), which

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-20 Thread Mukund Sivaraman
Hi Jinmei On Wed, Jul 19, 2017 at 04:14:11PM -0700, 神明達哉 wrote: > At Tue, 18 Jul 2017 18:20:56 +0530, > Mukund Sivaraman wrote: > > > Dealing with water torture and some other attacks have had several > > band-aid approaches that don't always work well in practice. The most > >

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-19 Thread 神明達哉
At Tue, 18 Jul 2017 18:20:56 +0530, Mukund Sivaraman wrote: > Dealing with water torture and some other attacks have had several > band-aid approaches that don't always work well in practice. The most > promising (and what feels correct) is > draft-ietf-dnsop-nsec-aggressiveuse,

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-19 Thread Francis Dupont
In your previous mail you wrote: > NSEC needs no keys, only their RRSIGs would which wouldn't exist in > unsigned zones. In this case the unsigned NSEC would also not be part of > the zone (it would have to be synthesized and maintained outside the > zone). => but it is created by an

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-18 Thread Petr Špaček
On 18.7.2017 14:50, Mukund Sivaraman wrote: > Hi Paul > > On Tue, Jul 18, 2017 at 02:35:31PM +0200, Paul Hoffman wrote: >> On 18 Jul 2017, at 11:46, Mukund Sivaraman wrote: >> >>> Will you give some thought and reply with your opinion on NSEC/NSEC3 for >>> unsigned zones requiring the DNS COOKIE

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-18 Thread Mukund Sivaraman
Hi Paul On Tue, Jul 18, 2017 at 02:35:31PM +0200, Paul Hoffman wrote: > On 18 Jul 2017, at 11:46, Mukund Sivaraman wrote: > > > Will you give some thought and reply with your opinion on NSEC/NSEC3 for > > unsigned zones requiring the DNS COOKIE option in transmission, that can > > be used with

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-18 Thread Paul Hoffman
On 18 Jul 2017, at 11:46, Mukund Sivaraman wrote: > Will you give some thought and reply with your opinion on NSEC/NSEC3 for > unsigned zones requiring the DNS COOKIE option in transmission, that can > be used with draft-ietf-dnsop-nsec-aggressiveuse? Of what value is the result? Is it worth the

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-18 Thread Mukund Sivaraman
Hi Francis On Tue, Jul 18, 2017 at 01:17:58PM +0200, Francis Dupont wrote: > In your previous mail you wrote: > > > There are still many popular unsigned zones, many of which don't look > > like they will be signed soon due to operational and other reasons. > > > > Will you give some

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-18 Thread Jim Reid
> On 18 Jul 2017, at 12:17, Francis Dupont wrote: > > It seems easier to remember that DNSSEC offers proofs for denial of existence. Except when it doesn't. :-) RFC5155 includes opt-in. ___ DNSOP mailing list

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-18 Thread Tony Finch
Francis Dupont wrote: > It seems easier to remember that DNSSEC offers proofs for denial of existence. Yes. Surely we don't want to make the DNS even more complicated just to undemine one of the positive features of DNSSEC. Tony. -- f.anthony.n.finch

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-18 Thread Francis Dupont
In your previous mail you wrote: > There are still many popular unsigned zones, many of which don't look > like they will be signed soon due to operational and other reasons. > > Will you give some thought and reply with your opinion on NSEC/NSEC3 for > unsigned zones requiring the DNS

[DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

2017-07-18 Thread Mukund Sivaraman
Hi all There are still many popular unsigned zones, many of which don't look like they will be signed soon due to operational and other reasons. Will you give some thought and reply with your opinion on NSEC/NSEC3 for unsigned zones requiring the DNS COOKIE option in transmission, that can be