NSEC question

Matthijs Mekking matthijs at isc.org
Fri Nov 19 10:01:16 UTC 2021 

Hello Josef,

Your time stamps guess is correct.

The NSEC is signed and the signature record (RRSIG) has a signature 
expiration time included, so it cannot be replayed forever.

Best regards,

Matthijs


On 19-11-2021 10:45, Josef Moellers wrote:
> Good morning (from this particular part of the world),
> 
> I am currently trying to wrap my head around DNSSEC and associated
> topics. My understanding is that DNSSEC isn't really that complicated:
> you "just" sign the data and the client can verify that it's legitimate
> using public keys and the "chain of trust".
> 
> I'm not at the point of trying to understand NSEC.
> Quite a nice example is here:
> https://dnsinstitute.com/documentation/dnssec-guide/ch06s02.html
> which uses the picture of a company with three employees "Alice",
> "Edward" and "Susan", and a "nameless intern" who answers phone calls
> and forwards them to the appropriate person.
> 
> At the end of the intro, the author describes the problem that arises
> without NSEC when someone asks for "Bob" ("That person does not exist.")
> and then for "Susan" ("Susan works here, I'll put you through!") and
> explains that an attacker could deny the existence of "Susan" by
> replaying the answer given for "Bob" .
> In comes NSEC and this problem is solved. So far I'm with it.
> 
> Now I'm trying to understand if (and how) this might work when a person
> joins the company (in real life: when a host is added):
> Before "Bob" joins the company, the answer would be "I'm sorry, that
> person doesn't work here. The name before that is Alice, and the name
> after that is Edward". That answer is correct, as "Bob" is not with the
> company at that time, and verifiably signed.
> Now "Bob" joins the company and somebody asks for him and the attacker
> replays the message "I'm sorry, that person doesn't work here. The name
> before that is Alice, and the name after that is Edward". That answer is
> incorrect ("Bob" IS with the company) but still verifiably signed.
> 
> How would NSEC prevent this?
> My guess is that it might use time stamps, but I fail to see how that
> would work.
> 
> Thanks,
> 
> Josef
>

More information about the bind-workers mailing list