[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3
T.Suzuki
tss at reflection.co.jp
Wed Jan 17 07:55:40 UTC 2018
On Wed, 17 Jan 2018 16:41:47 +0900
"T.Suzuki" <tss at reflection.co.jp> wrote:
> On Wed, 17 Jan 2018 18:13:39 +1100
> Mark Andrews <marka at isc.org> wrote:
>
> > Also from RFC 5155
> >
> > Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
> > the empty non-terminal is only derived from an insecure delegation
> > covered by an Opt-Out NSEC3 RR.
> >
> > The example ENTs presented are part of the unless.
>
> Thank you.
>
> May I think that NSD + dnssec-signzone has been broken ? (also gov.ac ?)
I'm sorry. I see. You say "do not use." So the tools are not broken. OK?
--
------------------------------------------------------------------------------
T.Suzuki
More information about the dns-operations
mailing list