[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3
T.Suzuki
tss at reflection.co.jp
Wed Jan 17 07:42:36 UTC 2018
On Wed, 17 Jan 2018 01:39:49 -0500
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>
> > On Jan 17, 2018, at 1:04 AM, T.Suzuki <tss at reflection.co.jp> wrote:
> >
> > I can not understand. What is "provably" ? Where should I read in RFC.
> > <foobar>.gov.example is the name in the example zone.
> > And there is the ex.gov.example zone bellow example zone.
>
> The short answer is: DO NOT USE THE NSEC3 OPT-OUT BIT.
>
> A slightly longer answer is:
>
> With the OPT-OUT bit set in the NSEC3PARAM record, insecure
> delegations and associated empty non-terminals are excluded
> from the NSEC3 chain. Insecure delegations (NS without DS)
> are not protected by DNSSEC signatures when the OPT-OUT bit
> is used.
Thank you for your reasonable answer.
--
------------------------------------------------------------------------------
T.Suzuki
More information about the dns-operations
mailing list