[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Jan 17 06:39:49 UTC 2018
> On Jan 17, 2018, at 1:04 AM, T.Suzuki <tss at reflection.co.jp> wrote:
>
> I can not understand. What is "provably" ? Where should I read in RFC.
> <foobar>.gov.example is the name in the example zone.
> And there is the ex.gov.example zone bellow example zone.
The short answer is: DO NOT USE THE NSEC3 OPT-OUT BIT.
A slightly longer answer is:
With the OPT-OUT bit set in the NSEC3PARAM record, insecure
delegations and associated empty non-terminals are excluded
from the NSEC3 chain. Insecure delegations (NS without DS)
are not protected by DNSSEC signatures when the OPT-OUT bit
is used.
--
Viktor.
More information about the dns-operations
mailing list