Query Regarding NSEC RR in DNSSEC

Chris Buxton chris.p.buxton at gmail.com
Tue Feb 14 19:18:14 UTC 2012

Briefly, the answer is, the NXDOMAIN response could be replayed by a man-in-the-middle attacker. We need to have something to sign, something specific to that query. If we just return the zone's SOA record and its signature, we're still subject to a replay attack. So we need to prove the negative, and that happens by enumerating all the possible positive answers "near" the query.

Chris Buxton
BlueCat Networks

On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote:

> Dear Team,
> We have a Authenticated Response in DNSSEC through trust chain.
> Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically.
> Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR.
> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain.
> So what’s the need of NSEC??????
> Thanks n Regards, 
> 9910118448 
> VoIP - 6259 
> Operation And Routing Unit 
> Please don't print this e-mail until & unless you really need, it will save Trees on Planet Earth. 
> IPv4 is Over,
> Are your ready for new Network.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120214/ecb9ff89/attachment.html>

More information about the bind-users mailing list