[dns-operations] Validating or not validating (ICANN controlled interruption)

Tony Finch dot at dotat.at
Wed Sep 3 11:59:54 UTC 2014

Peter van Dijk <peter.van.dijk at netherlabs.nl> wrote:
> But Unbound is right. The NSEC3 that covers the name you are asking for
> has the opt-out flag set, and hence the denial is insecure (but not
> bogus). Setting AD is, to my knowledge, not valid here.

I think you are right, though it can be a bit difficult to know when to
set AD :-) I think the most pertinent text in RFC 5155 is in section 12.2
Opt-Out Considerations:

   Note that with or without Opt-Out, an insecure delegation may be
   undetectably altered by an attacker.  Because of this, the primary
   difference in security when using Opt-Out is the loss of the ability
   to prove the existence or nonexistence of an insecure delegation
   within the span of an Opt-Out NSEC3 RR.

   In particular, this means that a malicious entity may be able to
   insert or delete RRs with unsigned names.  These RRs are normally NS
   RRs, but this also includes signed wildcard expansions (while the
   wildcard RR itself is signed, its expanded name is an unsigned name).

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.

More information about the dns-operations mailing list