[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3
T.Suzuki
tss at reflection.co.jp
Wed Jan 17 07:41:47 UTC 2018
On Wed, 17 Jan 2018 18:13:39 +1100
Mark Andrews <marka at isc.org> wrote:
> Also from RFC 5155
>
> Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
> the empty non-terminal is only derived from an insecure delegation
> covered by an Opt-Out NSEC3 RR.
>
> The example ENTs presented are part of the unless.
Thank you.
May I think that NSD + dnssec-signzone has been broken ? (also gov.ac ?)
--
------------------------------------------------------------------------------
T.Suzuki
More information about the dns-operations
mailing list