On Mon, May 9, 2016 at 2:01 PM, 神明達哉 <jin...@wide.ad.jp> wrote:
> At Mon, 25 Apr 2016 21:39:32 +0200, > Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > > Stephane Bortzmeyer <bortzme...@nic.fr> wrote > > a message of 17 lines which said: > > > > > > Title : NXDOMAIN really means there is nothing > underneath > > > > Authors : Stephane Bortzmeyer > > > > Shumon Huque > > > > Filename : draft-ietf-dnsop-nxdomain-cut-02.txt > > > > > > We believe it implements all the changes that were on the slides at > > > the Buenos Aires meeting and that it addresses all the remarks we got > > > (and even a few more). > > > > It seems everyone was tired after Buenos-Aires. Come on, you certainly > > have something to say, positive or negative, about this draft. > > I've just read the very latest version (03) of the draft. It looks > good to me. I'd even support it if there were now a WG last call. > > I've noticed a couple of minor points in this iteration of read. You > may or may not want to address it in a subsequent version: > > - Section 2 > > If the NXDOMAIN response due to a cached non-existence is from a > DNSSEC signed zone, then it will have accompanying NSEC or NSEC3 > records that authenticate the non-existence of the name. [...] > > The behavior described in this section is one form of > [I-D.fujiwara-dnsop-nsec-aggressiveuse]. You might note this point, > referring to the I-D (and maybe also referring to Appendix B). > We did consider adding a reference to it earlier, but decided to wait to see if it would be adopted by the working group. Perhaps it's time now. > - Section 3 > > "NXDOMAIN cut" may also help mitigate certain types of random QNAME > attacks [joost-dnsterror] [balakrichenan-dafa888], where there is a > fixed suffix which does not exist. > > This is true, but I suspect it would be pretty easy for this type of > attacker to circumvent the effect if and when the nxdomain-cut > behavior is more widely deployed. An attacker for the '.wf' zone > would simply send random junk query <random>.wf instead of > <random>.dafa888.wf. So I think the mitigation effect in this sense > is quite limited. > Yes, that's why we were careful to say that "certain types" of attacks "may" be mitigated. Implicit in that sentence was the recognition that other patterns of random subdomain attacks would not be stopped and that attackers could adapt. Do you have a specific suggestion regarding the text? Did you want the limitation stated more explicitly? Or do you think this topic isn't worth mentioning? Or ... -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
