On Fri, Jul 21, 2017 at 10:24:35AM +0200, Petr Špaček wrote:
> On 19.7.2017 10:50, Francis Dupont wrote:
> > In your previous mail you wrote:
> >
> >> NSEC needs no keys, only their RRSIGs would which wouldn't exist in
> >> unsigned zones. In this case the unsigned NSEC would also not be part
On 19.7.2017 10:50, Francis Dupont wrote:
> In your previous mail you wrote:
>
>> NSEC needs no keys, only their RRSIGs would which wouldn't exist in
>> unsigned zones. In this case the unsigned NSEC would also not be part of
>> the zone (it would have to be synthesized and maintained outside
On Tue, Jul 18, 2017 at 06:20:56PM +0530,
Mukund Sivaraman wrote
a message of 27 lines which said:
> It is to put draft-ietf-dnsop-nsec-aggressiveuse to use with unsigned
> zones.
That's quite funny. During the development of RFC 8020
(draft-ietf-dnsop-nxdomain-cut), which
Hi Jinmei
On Wed, Jul 19, 2017 at 04:14:11PM -0700, 神明達哉 wrote:
> At Tue, 18 Jul 2017 18:20:56 +0530,
> Mukund Sivaraman wrote:
>
> > Dealing with water torture and some other attacks have had several
> > band-aid approaches that don't always work well in practice. The most
> >
At Tue, 18 Jul 2017 18:20:56 +0530,
Mukund Sivaraman wrote:
> Dealing with water torture and some other attacks have had several
> band-aid approaches that don't always work well in practice. The most
> promising (and what feels correct) is
> draft-ietf-dnsop-nsec-aggressiveuse,
In your previous mail you wrote:
> NSEC needs no keys, only their RRSIGs would which wouldn't exist in
> unsigned zones. In this case the unsigned NSEC would also not be part of
> the zone (it would have to be synthesized and maintained outside the
> zone).
=> but it is created by an
On 18.7.2017 14:50, Mukund Sivaraman wrote:
> Hi Paul
>
> On Tue, Jul 18, 2017 at 02:35:31PM +0200, Paul Hoffman wrote:
>> On 18 Jul 2017, at 11:46, Mukund Sivaraman wrote:
>>
>>> Will you give some thought and reply with your opinion on NSEC/NSEC3 for
>>> unsigned zones requiring the DNS COOKIE
Hi Paul
On Tue, Jul 18, 2017 at 02:35:31PM +0200, Paul Hoffman wrote:
> On 18 Jul 2017, at 11:46, Mukund Sivaraman wrote:
>
> > Will you give some thought and reply with your opinion on NSEC/NSEC3 for
> > unsigned zones requiring the DNS COOKIE option in transmission, that can
> > be used with
On 18 Jul 2017, at 11:46, Mukund Sivaraman wrote:
> Will you give some thought and reply with your opinion on NSEC/NSEC3 for
> unsigned zones requiring the DNS COOKIE option in transmission, that can
> be used with draft-ietf-dnsop-nsec-aggressiveuse?
Of what value is the result? Is it worth the
Hi Francis
On Tue, Jul 18, 2017 at 01:17:58PM +0200, Francis Dupont wrote:
> In your previous mail you wrote:
>
> > There are still many popular unsigned zones, many of which don't look
> > like they will be signed soon due to operational and other reasons.
> >
> > Will you give some
> On 18 Jul 2017, at 12:17, Francis Dupont wrote:
>
> It seems easier to remember that DNSSEC offers proofs for denial of existence.
Except when it doesn't. :-) RFC5155 includes opt-in.
___
DNSOP mailing list
Francis Dupont wrote:
> It seems easier to remember that DNSSEC offers proofs for denial of existence.
Yes. Surely we don't want to make the DNS even more complicated just to
undemine one of the positive features of DNSSEC.
Tony.
--
f.anthony.n.finch
In your previous mail you wrote:
> There are still many popular unsigned zones, many of which don't look
> like they will be signed soon due to operational and other reasons.
>
> Will you give some thought and reply with your opinion on NSEC/NSEC3 for
> unsigned zones requiring the DNS
Hi all
There are still many popular unsigned zones, many of which don't look
like they will be signed soon due to operational and other reasons.
Will you give some thought and reply with your opinion on NSEC/NSEC3 for
unsigned zones requiring the DNS COOKIE option in transmission, that can
be
14 matches
Mail list logo