[dns-operations] negative dnssec replies

Router Log logrouterlog at gmail.com
Mon Nov 28 20:23:37 UTC 2016


Oh well It was just stray thought;)
Thanks for the link to Olaf Gudmundsson's interesting blog.
I was aware that  PowerDNS allows one to synthersize signed nxdomain
replies.
I still think there must be a more elegant method out there that doesn't
involve keeping the private key on the shop floor.



On Mon, Nov 28, 2016 at 1:02 PM, Tony Finch <dot at dotat.at> wrote:

> Florian Weimer <fw at deneb.enyo.de> wrote:
> >
> > Doesn't the NSEC3 opt-out mechanism achieve pretty much something like
> > this?
>
> It can give you a smaller zone if you have lots of unsigned delegations,
> but it doesn't reduce the size of the zone if all the actual records are
> signed, and it doesn't reduce the size of negative replies since you have
> to send an opt-out proof.
>
> Unsigned NXDOMAINs are a marvellous DoS mechanism :-)
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h
> punycode
> Wight, Portland, Plymouth: East 5 to 7. Moderate or rough. Mainly fair, but
> showers at first. Moderate or good.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20161128/b159f58f/attachment.html>


More information about the dns-operations mailing list