On Mon, Feb 28, 2022 at 03:43:59PM +0100, Petr Špaček wrote:
> Keep this:
> >>> 3.2. Recommendation for validating resolvers
> >>> Note that a validating resolver MUST still validate the signature
> >>> over the NSEC3 record to ensure the iteration count was not altered
> >>> since record publication (see [RFC5155] section 10.3).
>
> And here add this as continuation of the previous sentence?
>
> ... because the invalid signature might have additional implications.
> E.g. EDE code, or insecure validation status if an implementation chose
> to treat certain range of NSEC3 iteration values as DNSSEC-insecure etc.
>
> (modulo grammar fixes etc., of course)
>
> I think this makes the reason clear to everyone and also makes it
> somewhat legal to ignore signature validation it IF "visible outcome"
> does not change by doing so.
>
> What do you think?
I don't understand this comment, the reason for the signature check is
that otherwise we get trivial downgrade attacks. NSEC3 replies from
a signed zone with an invalid signature MUST be treated as "bogus".
What did you have in mind? What does "visible outcome" mean?
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
