Query Regarding NSEC RR in DNSSEC
chris.p.buxton at gmail.com
Tue Feb 14 19:18:14 UTC 2012
Briefly, the answer is, the NXDOMAIN response could be replayed by a man-in-the-middle attacker. We need to have something to sign, something specific to that query. If we just return the zone's SOA record and its signature, we're still subject to a replay attack. So we need to prove the negative, and that happens by enumerating all the possible positive answers "near" the query.
On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote:
> Dear Team,
> We have a Authenticated Response in DNSSEC through trust chain.
> Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically.
> Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR.
> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain.
> So what’s the need of NSEC??????
> Thanks n Regards,
> GAURAV KANSAL
> VoIP - 6259
> Operation And Routing Unit
> NIC , NEW DELHI
> Please don't print this e-mail until & unless you really need, it will save Trees on Planet Earth.
> IPv4 is Over,
> Are your ready for new Network.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users