On Feb 14 2012, Gaurav kansal wrote:
We have a Authenticated Response in DNSSEC through trust chain.
Now my question is why we itself need a NSEC when we get response from
DNSSEC enabled server authentically.
Means, if a Record exist in DNSSEC, then it replies the answer along with
RRSIG of th
Hello Gaurav,
You might want to have a look at our whitepaper on 'authenticated denial
of existence' to gain better understanding of this somewhat complicated
aspect of the DNSSEC specification:
https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf
Regards,
--
Marco
On 02/14/20
Briefly, the answer is, the NXDOMAIN response could be replayed by a
man-in-the-middle attacker. We need to have something to sign, something
specific to that query. If we just return the zone's SOA record and its
signature, we're still subject to a replay attack. So we need to prove the
negati
> We have a Authenticated Response in DNSSEC through trust chain.
> Now my question is why we itself need a NSEC when we get response from DNSSEC
> enabled server authentically.
> Means, if a Record exist in DNSSEC, then it replies the answer along with
> RRSIG of that RR.
> AND if domain doesn
[ Quoting at 22:53 on Feb 14 in "Query Regarding
NSEC..." ]
> Dear Team,
>
> We have a Authenticated Response in DNSSEC through trust chain.
>
> Now my question is why we itself need a NSEC when we get response from DNSSEC
> enabled server authentically.
>
>
>
> Means, if a Record exist in
Dear Team,
We have a Authenticated Response in DNSSEC through trust chain.
Now my question is why we itself need a NSEC when we get response from
DNSSEC enabled server authentically.
Means, if a Record exist in DNSSEC, then it replies the answer along with
RRSIG of that RR.
AND if domain
6 matches
Mail list logo
