Query Regarding NSEC RR in DNSSEC
marco.davids at sidn.nl
Tue Feb 14 20:02:33 UTC 2012
You might want to have a look at our whitepaper on 'authenticated denial
of existence' to gain better understanding of this somewhat complicated
aspect of the DNSSEC specification:
On 02/14/2012 08:18 PM, Chris Buxton wrote:
> Briefly, the answer is, the NXDOMAIN response could be replayed by a
> man-in-the-middle attacker. We need to have something to sign, something
> specific to that query. If we just return the zone's SOA record and its
> signature, we're still subject to a replay attack. So we need to prove
> the negative, and that happens by enumerating all the possible positive
> answers "near" the query.
> Chris Buxton
> BlueCat Networks
> On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote:
>> Dear Team,
>> We have a Authenticated Response in DNSSEC through trust chain.
>> Now my question is why we itself need a NSEC when we get response from
>> DNSSEC enabled server authentically.
>> Means, if a Record exist in DNSSEC, then it replies the answer along
>> with RRSIG of that RR.
>> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our
>> job will be done as we trust that nameserver through trust chain.
>> So what’s the need of NSEC??????
>> Thanks n Regards,
>> GAURAV KANSAL
>> VoIP - 6259
>> Operation And Routing Unit
>> NIC , NEW DELHI
>> Please don't print this e-mail until & unless you really need, it will
>> save Trees on Planet Earth.
>> IPv4 is Over,
>> Are your ready for new Network.
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> bind-users mailing list
>> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users