[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Lanlan Pan abbypan at gmail.com
Thu Jan 18 03:31:04 UTC 2018


Viktor Dukhovni <ietf-dane at dukhovni.org>于2018年1月17日周三 下午11:09写道:

>
>
> > On Jan 17, 2018, at 2:12 AM, Lanlan Pan <abbypan at gmail.com> wrote:
> >
> > With the OPT-OUT bit set in the NSEC3PARAM record, insecure
> > delegations and associated empty non-terminals are excluded
> > from the NSEC3 chain.  Insecure delegations (NS without DS)
> > are not protected by DNSSEC signatures when the OPT-OUT bit
> > is used.
> >
> > Maybe these 4 scenario:
> > (1) strong (whole zone): NSEC3 + not OptOut, Iterations + salt  periodly
> update
> >
> > (2) relative(whole zone): NSEC3 + not OptOut,Iterations + salt update
> with KSK/ZSK roll
> >
> > (3) partly (x% secure delegation) : NSEC3 + OptOut,Iterations + salt
> update with KSK/ZSK roll
> >
> > (4) simple (x% secure delegation): NSEC3 + OptOut,Iterations = 0, empty
> salt (such as verisign's .com)
>
> Yes, some operators who know *exactly* what they're doing are using opt-out
> correctly.  My answer above is for the rest of the world.  Your 4 scenarios
> look reasonable, I would also add a case with empty salt and yet no
> opt-out,
> with all signing incremental (even across KSK/ZSK rolls).
>

Yes, these are in theory.

Real world is few DNSSEC deployment, and hard to imagine that many
operators will know what is NSEC3.


>
> --
>         Viktor.
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations
> <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-operations>
> mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>


-- 
致礼  Best Regards

潘蓝兰  Pan Lanlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180118/9b3ca073/attachment.html>


More information about the dns-operations mailing list