Query Regarding NSEC RR in DNSSEC
Chris Buxton
chris.p.buxton at gmail.com
Tue Feb 14 19:18:14 UTC 2012
Briefly, the answer is, the NXDOMAIN response could be replayed by a man-in-the-middle attacker. We need to have something to sign, something specific to that query. If we just return the zone's SOA record and its signature, we're still subject to a replay attack. So we need to prove the negative, and that happens by enumerating all the possible positive answers "near" the query.
Regards,
Chris Buxton
BlueCat Networks
On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote:
> Dear Team,
>
> We have a Authenticated Response in DNSSEC through trust chain.
> Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically.
>
> Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR.
> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain.
> So what’s the need of NSEC??????
>
> Thanks n Regards,
> GAURAV KANSAL
> 9910118448
> VoIP - 6259
> Operation And Routing Unit
> NIC , NEW DELHI
>
> Please don't print this e-mail until & unless you really need, it will save Trees on Planet Earth.
> IPv4 is Over,
> Are your ready for new Network.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120214/ecb9ff89/attachment.html>
More information about the bind-users
mailing list