Query Regarding NSEC RR in DNSSEC
Marco Davids
marco.davids at sidn.nl
Tue Feb 14 20:02:33 UTC 2012
Hello Gaurav,
You might want to have a look at our whitepaper on 'authenticated denial
of existence' to gain better understanding of this somewhat complicated
aspect of the DNSSEC specification:
https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf
Regards,
--
Marco
On 02/14/2012 08:18 PM, Chris Buxton wrote:
> Briefly, the answer is, the NXDOMAIN response could be replayed by a
> man-in-the-middle attacker. We need to have something to sign, something
> specific to that query. If we just return the zone's SOA record and its
> signature, we're still subject to a replay attack. So we need to prove
> the negative, and that happens by enumerating all the possible positive
> answers "near" the query.
>
> Regards,
> Chris Buxton
> BlueCat Networks
>
> On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote:
>
>> Dear Team,
>>
>> We have a Authenticated Response in DNSSEC through trust chain.
>> Now my question is why we itself need a NSEC when we get response from
>> DNSSEC enabled server authentically.
>>
>> Means, if a Record exist in DNSSEC, then it replies the answer along
>> with RRSIG of that RR.
>> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our
>> job will be done as we trust that nameserver through trust chain.
>> So what’s the need of NSEC??????
>>
>> Thanks n Regards,
>> GAURAV KANSAL
>> 9910118448
>> VoIP - 6259
>> Operation And Routing Unit
>> NIC , NEW DELHI
>>
>> Please don't print this e-mail until & unless you really need, it will
>> save Trees on Planet Earth.
>> IPv4 is Over,
>> Are your ready for new Network.
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list