[dns-operations] negative dnssec replies

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Nov 26 17:13:34 UTC 2016


> On Nov 26, 2016, at 8:10 AM, Router Log <logrouterlog at gmail.com> wrote:
> 
> The signing of negative replies from dnssec enabled zones increase the size of the zone data an the complexity dns. For the ease of use and implementaion would it be a good idea that a dnssec enabled zone could signal to a querier that it intends to send unsigned nxdomain replies? This mechanism would have to be signed of course. 
> Kind Regards Peter Davies

This creates downgrade attacks for opportunistic DANE TLS

	https://tools.ietf.org/html/rfc7672#section-2.2
	https://tools.ietf.org/html/rfc7673#section-3.4

If the zone administrator has no intention to publish TLSA
records for opportunistic TLS, then perhaps NXDOMAIN forgery
could be acceptable, but I don't think that a standard for
a corresponding mechanism is likely at this time.

-- 
	Viktor.





More information about the dns-operations mailing list