[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3
Lanlan Pan
abbypan at gmail.com
Wed Jan 17 07:12:56 UTC 2018
Viktor Dukhovni <ietf-dane at dukhovni.org>于2018年1月17日周三 下午2:42写道:
>
>
> > On Jan 17, 2018, at 1:04 AM, T.Suzuki <tss at reflection.co.jp> wrote:
> >
> > I can not understand. What is "provably" ? Where should I read in RFC.
> > <foobar>.gov.example is the name in the example zone.
> > And there is the ex.gov.example zone bellow example zone.
>
> The short answer is: DO NOT USE THE NSEC3 OPT-OUT BIT.
>
> A slightly longer answer is:
>
> With the OPT-OUT bit set in the NSEC3PARAM record, insecure
> delegations and associated empty non-terminals are excluded
> from the NSEC3 chain. Insecure delegations (NS without DS)
> are not protected by DNSSEC signatures when the OPT-OUT bit
> is used.
>
Maybe these 4 scenario:
(1) strong (whole zone): NSEC3 + not OptOut, Iterations + salt periodly
update
(2) relative(whole zone): NSEC3 + not OptOut,Iterations + salt update with
KSK/ZSK roll
(3) partly (x% secure delegation) : NSEC3 + OptOut,Iterations + salt update
with KSK/ZSK roll
(4) simple (x% secure delegation): NSEC3 + OptOut,Iterations = 0, empty
salt (such as verisign's .com)
>
> --
> Viktor.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--
致礼 Best Regards
潘蓝兰 Pan Lanlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180117/e88fd171/attachment.html>
More information about the dns-operations
mailing list