[dns-operations] negative dnssec replies
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Nov 26 17:13:34 UTC 2016
> On Nov 26, 2016, at 8:10 AM, Router Log <logrouterlog at gmail.com> wrote:
>
> The signing of negative replies from dnssec enabled zones increase the size of the zone data an the complexity dns. For the ease of use and implementaion would it be a good idea that a dnssec enabled zone could signal to a querier that it intends to send unsigned nxdomain replies? This mechanism would have to be signed of course.
> Kind Regards Peter Davies
This creates downgrade attacks for opportunistic DANE TLS
https://tools.ietf.org/html/rfc7672#section-2.2
https://tools.ietf.org/html/rfc7673#section-3.4
If the zone administrator has no intention to publish TLSA
records for opportunistic TLS, then perhaps NXDOMAIN forgery
could be acceptable, but I don't think that a standard for
a corresponding mechanism is likely at this time.
--
Viktor.
More information about the dns-operations
mailing list