[dns-operations] negative dnssec replies

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Nov 26 17:13:34 UTC 2016

> On Nov 26, 2016, at 8:10 AM, Router Log <logrouterlog at gmail.com> wrote:
> The signing of negative replies from dnssec enabled zones increase the size of the zone data an the complexity dns. For the ease of use and implementaion would it be a good idea that a dnssec enabled zone could signal to a querier that it intends to send unsigned nxdomain replies? This mechanism would have to be signed of course. 
> Kind Regards Peter Davies

This creates downgrade attacks for opportunistic DANE TLS


If the zone administrator has no intention to publish TLSA
records for opportunistic TLS, then perhaps NXDOMAIN forgery
could be acceptable, but I don't think that a standard for
a corresponding mechanism is likely at this time.


More information about the dns-operations mailing list