[dns-operations] Validating or not validating (ICANN controlled interruption)
Tony Finch
dot at dotat.at
Wed Sep 3 11:59:54 UTC 2014
Peter van Dijk <peter.van.dijk at netherlabs.nl> wrote:
>
> But Unbound is right. The NSEC3 that covers the name you are asking for
> has the opt-out flag set, and hence the denial is insecure (but not
> bogus). Setting AD is, to my knowledge, not valid here.
I think you are right, though it can be a bit difficult to know when to
set AD :-) I think the most pertinent text in RFC 5155 is in section 12.2
Opt-Out Considerations:
Note that with or without Opt-Out, an insecure delegation may be
undetectably altered by an attacker. Because of this, the primary
difference in security when using Opt-Out is the loss of the ability
to prove the existence or nonexistence of an insecure delegation
within the span of an Opt-Out NSEC3 RR.
In particular, this means that a malicious entity may be able to
insert or delete RRs with unsigned names. These RRs are normally NS
RRs, but this also includes signed wildcard expansions (while the
wildcard RR itself is signed, its expanded name is an unsigned name).
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.
More information about the dns-operations
mailing list