On 18.7.2017 14:50, Mukund Sivaraman wrote: > Hi Paul > > On Tue, Jul 18, 2017 at 02:35:31PM +0200, Paul Hoffman wrote: >> On 18 Jul 2017, at 11:46, Mukund Sivaraman wrote: >> >>> Will you give some thought and reply with your opinion on NSEC/NSEC3 for >>> unsigned zones requiring the DNS COOKIE option in transmission, that can >>> be used with draft-ietf-dnsop-nsec-aggressiveuse? >> >> Of what value is the result? Is it worth the hassle for the zone admin? > > It is to put draft-ietf-dnsop-nsec-aggressiveuse to use with unsigned > zones. A zone admin would not have to do anything operationally except > enable/disable the feature. > > Dealing with water torture and some other attacks have had several > band-aid approaches that don't always work well in practice. The most > promising (and what feels correct) is > draft-ietf-dnsop-nsec-aggressiveuse, but it doesn't work for unsigned > zones.
For me this is an incentive to get more zones signed, not to add kludges just for unsigned ones. There surely are "operational and other reasons" not to sign zone associated with some cost. Signing and serving signed zone have cost_1 and serving unsigned zone has cost_2 (which needs to incorporate cost of attacks mitigated by DNSSEC). Eventually cost_2 of serving unsigned zone might get high enough so solving "operational and other reasons" might be cheaper than cost_1 paying for signing and serving signed zone. I would wait for that. -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
