[bind10-dev] NSEC3 consideration
Mark Andrews
marka at isc.org
Mon Oct 31 01:33:10 UTC 2011
In message <520024431.18006 at cnnic.cn> <1320024430.1536.4.camel at zenus>, Kevin Tes writes:
> Hi,
>
> As RFC 5155(DNS Security (DNSSEC) Hashed Authenticated Denial of
> Existence)suggests that, there are eight case for NSEC3 Hashed
> Authenticated Denial of Existence.
>
> First: Name error,
> Second: No data QTYPE is not DS,
> Third: No data QTYPE is DS,
> Fourth: Wildcard no data,
> Fifth: Wildcard answer,
> Sixth: Referrals to unsigned subzone,
> Seventh: Query for NSEC3,
> Eighth: Run-Time Collision.
>
> Divide those to four categories,each category is an independent task.
>
> <1> First
> <2> Second,Third,Sixth,Seventh
> <3> Fourth
> <4> Fifth
>
> For the hash algorithm specified in this document SHA-1, Run-Time Collision are highly unlikely happened,
> so do not take 'eighth' into account.
Queries for NSEC3 records should always fail as NSEC3 records are
in a different namespace.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind10-dev
mailing list