Hi all,
We submitted a draft about DNS delegation confirmation. In the
current DNS delegation mechanism, a delegated zone/child zone can specify any
NS records at the zone apex without requiring confirmation from the zone
maintaining Glue records of these NS record. This could be exploited to lunch
new types of attacks such as NXNSattack. This draft suggests a lightweight
and backward-compatible mechanism to mitigate the risk of these attacks.
Any comments are welcome!
[email protected]
From: internet-drafts
Date: 2024-01-02 14:42
To: Peng Zuo; Zhiwei Yan
Subject: New Version Notification for
draft-zuo-dnsop-delegation-confirmation-00.txt
A new version of Internet-Draft draft-zuo-dnsop-delegation-confirmation-00.txt
has been successfully submitted by Zhiwei Yan and posted to the
IETF repository.
Name: draft-zuo-dnsop-delegation-confirmation
Revision: 00
Title: A lightweight DNS delegation confirmation protocol
Date: 2024-01-01
Group: Individual Submission
Pages: 13
URL:
https://www.ietf.org/archive/id/draft-zuo-dnsop-delegation-confirmation-00.txt
Status:
https://datatracker.ietf.org/doc/draft-zuo-dnsop-delegation-confirmation/
HTMLized:
https://datatracker.ietf.org/doc/html/draft-zuo-dnsop-delegation-confirmation
Abstract:
Delegation occurs when an NS record is added in the parent zone for
the child origin. In the current DNS delegation mechanism, a
delegated zone/child zone (see Section1.1 for definition of delegated
zone) can specify any NS records at the zone apex without requiring
confirmation from the zone maintaining Glue records of the NS record.
Recently, new types of attacks that exploit this flaw have been
discovered. This draft suggests a protocol-level solution for DNS
delegation confirmation to reduce the risk of these attacks.
The IETF Secretariat
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
