At 15:54 22/01/2010, Alex Bligh wrote:
--On 22 January 2010 15:45:54 -0500 Edward Lewis <ed.le...@neustar.biz> wrote:
contents) in example.org. So, whilst opt-out should be avoided
across intervals containing secure delegations, I see no reason
to avoid it across intervals that don't contain secure delegations.
Opt-out is restricted to "intervals" that contain only unsecured
delegations.
Doh! Yes indeed. In which case I stand by my original argument: I can't
see how opt-out really increase spoofability. It can't affect
a secure delegation, and the contents of an insecure delegation
or denial thereof (if not the delegation itself) are spoofable
with or without opt-out. Paul's example of a secure delegation
with opt-out across it can't exist.
Lets say example is signed, bank.example is signed using NSEC3 with opt-out
in one span to hide one division.
Lets say secure.bank.example by co-incidence falls into the opt-ed-out gap.
Now a phisher can attempt to insert an insecure delegation called
secure.bank.example
into caches and send mails telling people to visit this site to claim
their price
Opt-out was designed for large delegation-only/mostly zones, in almost all
other cases it should not be used.
The use of NSEC vs NSEC3 in zone is a different discussion.
A zone that contains guess-able names gains almost nothing from using NSEC3.
A zone operator may still feel better using NSEC3 :-)
If you really want to hide the content of your zone only epsilon
signing will work
RFC4470+RFC4471.
Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop