On 24.3.2015 21:04, Bob Harold wrote:
But for the servers and public to know which key to use, there will need
to be some id that matches NSEC5 records to the matching NSEC5 key.
That requires changing the format of the NSEC5 records, so it cannot be
done later.
You
On Mar 23, 2015, at 6:23 PM, Jan Včelák jan.vce...@nic.cz wrote:
This proposal continues to have fundamental problems that are not documented
in the draft.
- The statement about NSEC3 offline dictionary attacks are still possible
and have been demonstrated doesn't take into account trivial
On 24.3.2015 21:25, Paul Wouters wrote:
On Tue, 24 Mar 2015, Jan Včelák wrote:
The contents of zones quickly becomes visible, what with passive DNS,
DITL, people who connect in place X, and then reopen their laptop in
place Y, etc.
I know and I completely agree.
On the other hand, there
* Paul Hoffman [2015-03-24 13:57]:
On Mar 23, 2015, at 6:23 PM, Jan Včelák jan.vce...@nic.cz wrote:
- The statement about NSEC3 offline dictionary attacks are still possible
and have been demonstrated doesn't take into account trivial changes that
an operator can choose to take if they are
On 24.3.2015 13:57, Paul Hoffman wrote:
On Mar 23, 2015, at 6:23 PM, Jan Včelák jan.vce...@nic.cz wrote:
This proposal continues to have fundamental problems that are not
documented in the draft.
- The statement about NSEC3 offline dictionary attacks are still possible
and have been
On Mar 24, 2015, at 11:11 AM, Warren Kumari war...@kumari.net wrote:
There is a paper Stretching NSEC3 to the Limit: Efficient Zone
Enumeration Attacks on NSEC3 Variants by Sharon Goldberg et al, which
covers some of the trivial solutions and explains why it won't work:
On 24.3.2015 19:11, Warren Kumari wrote:
On Tue, Mar 24, 2015 at 9:56 AM, Jan Včelák jan.vce...@nic.cz wrote:
On 24.3.2015 13:57, Paul Hoffman wrote:
On Mar 23, 2015, at 6:23 PM, Jan Včelák jan.vce...@nic.cz wrote:
This proposal continues to have fundamental problems that are not
documented
On Mon, Mar 23, 2015 at 6:38 PM, Jan Včelák jan.vce...@nic.cz wrote:
On 23.3.2015 18:26, Bob Harold wrote:
I think we might need to allow for more than one NSEC5 key and chain,
during a transition. Otherwise it might be impossible to later create a
reasonable transition process. This
On 24.3.2015 20:08, Bob Harold wrote:
On Mon, Mar 23, 2015 at 6:38 PM, Jan Včelák wrote:
On 23.3.2015 18:26, Bob Harold wrote:
I think we might need to allow for more than one NSEC5 key and chain,
during a transition. Otherwise it might be impossible to later create a
On 24.3.2015 19:20, Paul Hoffman wrote:
Again: a proposal for an operational change to DNSSEC needs to be explicit
about the tradeoffs, particularly when one of the options is you will be
considered unsigned by some resolvers when you implement this. The current
draft is not have this.
On Tue, Mar 24, 2015 at 3:27 PM, Jan Včelák jan.vce...@nic.cz wrote:
On 24.3.2015 20:08, Bob Harold wrote:
On Mon, Mar 23, 2015 at 6:38 PM, Jan Včelák wrote:
On 23.3.2015 18:26, Bob Harold wrote:
I think we might need to allow for more than one NSEC5 key and
chain,
On Mar 24, 2015, at 10:41 AM, Matthäus Wander matthaeus.wan...@uni-due.de
wrote:
* Paul Hoffman [2015-03-24 13:57]:
On Mar 23, 2015, at 6:23 PM, Jan Včelák jan.vce...@nic.cz wrote:
- The statement about NSEC3 offline dictionary attacks are still possible
and have been demonstrated
On Tue, Mar 24, 2015 at 9:56 AM, Jan Včelák jan.vce...@nic.cz wrote:
On 24.3.2015 13:57, Paul Hoffman wrote:
On Mar 23, 2015, at 6:23 PM, Jan Včelák jan.vce...@nic.cz wrote:
This proposal continues to have fundamental problems that are not
documented in the draft.
- The statement about
Hi,
I just submitted an updated NSEC5 draft into the data tracker. The most
significant change is fixing the NSEC5 key rollover mechanism; the rest
are just typo fixes and small clarifications in terminology.
http://datatracker.ietf.org/doc/draft-vcelak-nsec5/
Also, I will have a 10 minute talk
On Mar 23, 2015, at 10:15 AM, Jan Včelák jan.vce...@nic.cz wrote:
I just submitted an updated NSEC5 draft into the data tracker. The most
significant change is fixing the NSEC5 key rollover mechanism; the rest
are just typo fixes and small clarifications in terminology.
This proposal continues
Paul Hoffman mailto:paul.hoff...@vpnc.org
Monday, March 23, 2015 12:08 PM
This proposal continues to have fundamental problems that are not
documented in the draft.
...
Overall, this seems like a novel idea that comes with a huge
operational overhead and no actual demand.
+1.
--
On 3/23/15, 14:08, Paul Hoffman paul.hoff...@vpnc.org wrote:
On Mar 23, 2015, at 10:15 AM, Jan Včelák jan.vce...@nic.cz wrote:
I just submitted an updated NSEC5 draft into the data tracker. The most
significant change is fixing the NSEC5 key rollover mechanism; the rest
are just typo fixes and
The completed sections of draft looks good to me, with one exception.
I think we might need to allow for more than one NSEC5 key and chain,
during a transition. Otherwise it might be impossible to later create a
reasonable transition process. This might require us to tag the NSEC5
records with
On 23.3.2015 18:26, Bob Harold wrote:
I think we might need to allow for more than one NSEC5 key and chain,
during a transition. Otherwise it might be impossible to later create a
reasonable transition process. This might require us to tag the NSEC5
records with an id, so that the chains and
Hi Paul,
This proposal continues to have fundamental problems that are not documented
in the draft.
- The statement about NSEC3 offline dictionary attacks are still possible
and have been demonstrated doesn't take into account trivial changes that an
operator can choose to take if they
On Thursday, March 12, 2015 12:39:17 PM Florian Weimer wrote:
On 03/12/2015 11:36 AM, Jan Včelák wrote:
And does anyone actually use opt out with NSEC3?
Yes, .com for example. My impression was that Opt-Out was the selling
point of NSEC3, not the domain name hashing.
Okay. Are they
/
- Original Message -
From: Florian Weimer fwei...@redhat.com
To: Jan Včelák jan.vce...@nic.cz
Cc: dnsop@ietf.org, Nicholas Weaver nwea...@icsi.berkeley.edu
Sent: Thursday, March 12, 2015 12:39:17 PM
Subject: Re: [DNSOP] Comments regarding the NSEC5
On 03/12/2015 11:36 AM, Jan Včelák wrote
On Mar 11, 2015, at 9:39 AM, Jan Včelák jan.vce...@nic.cz wrote:
NSEC5 proof is the FDH of domain name.
NSEC5 hash is SHA-256 of NSEC5 proof.
I will clarify that.
Why not just do something simpler? The only thing NSEC5 really differs in a
way that counts is not in the NSEC record but
On Wednesday, March 11, 2015 09:52:55 AM Nicholas Weaver wrote:
Why not just do something simpler? The only thing NSEC5 really differs in a
way that counts is not in the NSEC record but really just the DNSKEY
handling, having a separate key used for signing the NSEC* records.
So why define
On 03/12/2015 11:15 AM, Jan Včelák wrote:
On Wednesday, March 11, 2015 09:52:55 AM Nicholas Weaver wrote:
Why not just do something simpler? The only thing NSEC5 really differs in a
way that counts is not in the NSEC record but really just the DNSKEY
handling, having a separate key used for
On 11.3.2015 17:30, Florian Weimer wrote:
On 03/11/2015 05:19 PM, Jan Včelák wrote:
It's not clear if the security goals make sense. What do zone operators
gain if zone enumeration attacks are moved from offline to online, other
than a need to provision additional server capacity? It's not
On 03/11/2015 05:19 PM, Jan Včelák wrote:
It's not clear if the security goals make sense. What do zone operators
gain if zone enumeration attacks are moved from offline to online, other
than a need to provision additional server capacity? It's not that they
can block resolution requests
Hello Florian,
On 11.3.2015 12:01, Florian Weimer wrote:
do you plan to submit this to an IETF working group, or as an individual
submission?
We plan to submit the draft as an individual submission.
It's not clear if the security goals make sense. What do zone operators
gain if zone
On Mar 11, 2015, at 9:39 AM, Jan Včelák jan.vce...@nic.cz wrote:
On 11.3.2015 17:30, Florian Weimer wrote:
On 03/11/2015 05:19 PM, Jan Včelák wrote:
It's not clear if the security goals make sense. What do zone operators
gain if zone enumeration attacks are moved from offline to online,
Hi Jan,
do you plan to submit this to an IETF working group, or as an individual
submission?
It's not clear if the security goals make sense. What do zone operators
gain if zone enumeration attacks are moved from offline to online, other
than a need to provision additional server capacity?
30 matches
Mail list logo