Query Regarding NSEC RR in DNSSEC

Marco Davids marco.davids at sidn.nl
Tue Feb 14 20:02:33 UTC 2012


Hello Gaurav,

You might want to have a look at our whitepaper on 'authenticated denial
of existence' to gain better understanding of this somewhat complicated
aspect of the DNSSEC specification:

https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf

Regards,

--
Marco



On 02/14/2012 08:18 PM, Chris Buxton wrote:
> Briefly, the answer is, the NXDOMAIN response could be replayed by a
> man-in-the-middle attacker. We need to have something to sign, something
> specific to that query. If we just return the zone's SOA record and its
> signature, we're still subject to a replay attack. So we need to prove
> the negative, and that happens by enumerating all the possible positive
> answers "near" the query.
> 
> Regards,
> Chris Buxton
> BlueCat Networks
> 
> On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote:
> 
>> Dear Team,
>>  
>> We have a Authenticated Response in DNSSEC through trust chain.
>> Now my question is why we itself need a NSEC when we get response from
>> DNSSEC enabled server authentically.
>>  
>> Means, if a Record exist in DNSSEC, then it replies the answer along
>> with RRSIG of that RR.
>> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our
>> job will be done as we trust that nameserver through trust chain.
>> So what’s the need of NSEC??????
>>  
>> Thanks n Regards, 
>> GAURAV KANSAL 
>> 9910118448 
>> VoIP - 6259 
>> Operation And Routing Unit 
>> NIC , NEW DELHI
>>  
>> Please don't print this e-mail until & unless you really need, it will
>> save Trees on Planet Earth. 
>> IPv4 is Over,
>> Are your ready for new Network.
>>  
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list