[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 17 15:05:50 UTC 2018

> On Jan 17, 2018, at 2:12 AM, Lanlan Pan <abbypan at gmail.com> wrote:
> With the OPT-OUT bit set in the NSEC3PARAM record, insecure
> delegations and associated empty non-terminals are excluded
> from the NSEC3 chain.  Insecure delegations (NS without DS)
> are not protected by DNSSEC signatures when the OPT-OUT bit
> is used.
> Maybe these 4 scenario:
> (1) strong (whole zone): NSEC3 + not OptOut, Iterations + salt  periodly update 
> (2) relative(whole zone): NSEC3 + not OptOut,Iterations + salt update with KSK/ZSK roll
> (3) partly (x% secure delegation) : NSEC3 + OptOut,Iterations + salt update with KSK/ZSK roll
> (4) simple (x% secure delegation): NSEC3 + OptOut,Iterations = 0, empty salt (such as verisign's .com)

Yes, some operators who know *exactly* what they're doing are using opt-out
correctly.  My answer above is for the rest of the world.  Your 4 scenarios
look reasonable, I would also add a case with empty salt and yet no opt-out,
with all signing incremental (even across KSK/ZSK rolls).


More information about the dns-operations mailing list