[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

T.Suzuki tss at reflection.co.jp
Wed Jan 17 07:41:47 UTC 2018

On Wed, 17 Jan 2018 18:13:39 +1100
Mark Andrews <marka at isc.org> wrote:

> Also from RFC 5155
>       Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
>       the empty non-terminal is only derived from an insecure delegation
>       covered by an Opt-Out NSEC3 RR.
> The example ENTs presented are part of the unless.

Thank you.

May I think that NSD + dnssec-signzone has been broken ? (also gov.ac ?)


More information about the dns-operations mailing list