[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 17 06:39:49 UTC 2018

> On Jan 17, 2018, at 1:04 AM, T.Suzuki <tss at reflection.co.jp> wrote:
> I can not understand. What is "provably" ? Where should I read in RFC.
> <foobar>.gov.example is the name in the example zone.
> And there is the ex.gov.example zone bellow example zone.

The short answer is: DO NOT USE THE NSEC3 OPT-OUT BIT.

A slightly longer answer is:

With the OPT-OUT bit set in the NSEC3PARAM record, insecure
delegations and associated empty non-terminals are excluded
from the NSEC3 chain.  Insecure delegations (NS without DS)
are not protected by DNSSEC signatures when the OPT-OUT bit
is used.


More information about the dns-operations mailing list