Hi Paul
On Tue, Jul 18, 2017 at 02:35:31PM +0200, Paul Hoffman wrote:
> On 18 Jul 2017, at 11:46, Mukund Sivaraman wrote:
>
> > Will you give some thought and reply with your opinion on NSEC/NSEC3 for
> > unsigned zones requiring the DNS COOKIE option in transmission, that can
> > be used with draft-ietf-dnsop-nsec-aggressiveuse?
>
> Of what value is the result? Is it worth the hassle for the zone admin?
It is to put draft-ietf-dnsop-nsec-aggressiveuse to use with unsigned
zones. A zone admin would not have to do anything operationally except
enable/disable the feature.
Dealing with water torture and some other attacks have had several
band-aid approaches that don't always work well in practice. The most
promising (and what feels correct) is
draft-ietf-dnsop-nsec-aggressiveuse, but it doesn't work for unsigned
zones.
Mukund
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
