Re: DJB about NSEC3
On Tue, Sep 02, 2008 at 09:50:15AM +0100, Roy Arends wrote:[color=blue]
> I'd like to have more information how the "NSEC3" variant of DNSSEC is
> almost always breakable? I'd like to know how to interpret "almost always
I think it has been established that NSEC(3) allows the creation of
non-existent names within secured zones, if I followed things directly.
So even if importantbank.com is signed, I can try to spoof in
NS records for secure.importantbank.com, using a purloined NSEC(3) record that
covers secure.importantbank.com. The secure.importantbank.com zone is then
unsigned, and contains the data of my choice.
As long as secure.importantbank.com does not exist already of course.
As a precautionary measure, importantbank.com might want to have dummy
records for everything that 'looks' official.
[url]http://www.PowerDNS.com[/url] Open source, database driven DNS Software
[url]http://netherlabs.nl[/url] Open and Closed source services
to unsubscribe send a message to [email]email@example.com[/email] with
the word 'unsubscribe' in a single line as the message text body.