Hi Not trying to start a flame war, but the logical conclusion is that for many use cases you will gain a tiny bit of security by not signing your IPv6 reverse zones - since the actual impact of cache poisoning on reverse zones might be more limited than that of easy enumeration of the network. :-)
However, everyone placing things in DNS of course has to be aware that it is public data, so the "enumeration" threat is IMO something i wouldn't care deeply about. Best regards, Jimmy On Thu, Mar 8, 2012 at 1:14 PM, Olaf Kolkman <[email protected]> wrote: > > On Mar 8, 2012, at 12:59 PM, Dick Visser wrote: > >>> >>> While I understand the argument that an IPv4-reverse zone is trivially >>> enumerated, that will change when IPv6 becomes more common. Naively >>> trying every IP is just not feasible anymore. In that case NSEC will >>> actually be helpfull in finding adresses that are assigned. > > > try > > > dig @open.nlnetlabs.nl 0.6.0.2.0.8.b.7.0.1.0.0.2.ip6.arpa. > > and > > dig @open.nlnetlabs.nl 2.6.0.2.0.8.b.7.0.1.0.0.2.ip6.arpa. > > > The first query gives you NOERROR (and an empty answer session). This means > that 0.6.0.2.0.8.b.7.0.1.0.0.2.ip6.arpa. the queried type (A) does not exist > at this node, but the node itself does. The tree may have more depth. > > The second query gives you NXDOMAIN which means it does not exist and that > there are also no subdomains. The domain tree stops here. > > Although these answers might be a bit implementation dependend it is trivial > to enumerate an IPv6 address tree. > > -Olaf > > > > > > ________________________________________________________ > > Olaf M. Kolkman NLnet Labs > http://www.nlnetlabs.nl/ > > > > > > > > > > > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
