[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS status? (Fwd)

To: mankin@psg.com
Subject: Re: DS status? (Fwd)
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Thu, 6 Feb 2003 20:28:09 +0100 (CET)
Cc: iesg@ietf.org
In-reply-to: "Your message with ID" <20030206135949.W74731-100000@hlid.dc.ogud.com>

>----------------Begin Forwarded Message----------------<

Date: Thu, 06 Feb 2003 14:05:10 -0500 (EST)
From: "Olafur Gudmundsson" <ogud@ogud.com>
Subject: Re: DS status?
To: "Erik Nordmark" <Erik.Nordmark@Sun.COM>
Cc: "Randy Bush" <randy@psg.com>, "Olafur Gudmundsson" <ogud@ogud.com>

On Thu, 6 Feb 2003, Erik Nordmark wrote:

>
> So is the remaining issue(s) with ds-12 an issue about missing protocol
> magic, or just getting the text right?
>

The issue is "bad interaction with software that implements RFC2535".
DS-12 specifies that secure zone answers for a insecure delegation with a
referral containing NS and NXT records in the authority section.
One widely distributed implemetation looks in the message and sees the NXT
and thinks: DOES NOT EXIST proof.
This is done without looking into the NXT and can be used as DoS attack
against installed base.
Possible solutions include:
	renumber DNSSEC records or at least the NXT record
	Have different flag in ENDS header to indicate DS awareness and
	only then hand out the NXT.

I think renumbering the NXT is a better soluiton but this issue needs to
be discussed more, once this is decided I can update DS and we are done .
(how often have I said that ?)

	Olafur

>----------------End Forwarded Message----------------<

Prev by Date: bye
Next by Date: rfc ed note for draft-allman-tcp-sack
Previous by thread: bye
Next by thread: Re: DS status? (Fwd)
Index(es):
- Date
- Thread