[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Lanlan Pan abbypan at gmail.com
Wed Jan 17 07:12:56 UTC 2018


Viktor Dukhovni <ietf-dane at dukhovni.org>于2018年1月17日周三 下午2:42写道:

>
>
> > On Jan 17, 2018, at 1:04 AM, T.Suzuki <tss at reflection.co.jp> wrote:
> >
> > I can not understand. What is "provably" ? Where should I read in RFC.
> > <foobar>.gov.example is the name in the example zone.
> > And there is the ex.gov.example zone bellow example zone.
>
> The short answer is: DO NOT USE THE NSEC3 OPT-OUT BIT.
>
> A slightly longer answer is:
>
> With the OPT-OUT bit set in the NSEC3PARAM record, insecure
> delegations and associated empty non-terminals are excluded
> from the NSEC3 chain.  Insecure delegations (NS without DS)
> are not protected by DNSSEC signatures when the OPT-OUT bit
> is used.
>

Maybe these 4 scenario:

(1) strong (whole zone): NSEC3 + not OptOut, Iterations + salt  periodly
update

(2) relative(whole zone): NSEC3 + not OptOut,Iterations + salt update with
KSK/ZSK roll

(3) partly (x% secure delegation) : NSEC3 + OptOut,Iterations + salt update
with KSK/ZSK roll

(4) simple (x% secure delegation): NSEC3 + OptOut,Iterations = 0, empty
salt (such as verisign's .com)


>
> --
>         Viktor.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>


-- 
致礼  Best Regards

潘蓝兰  Pan Lanlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180117/e88fd171/attachment.html>


More information about the dns-operations mailing list