On Thu, 2004-08-19 at 04:51, Alex Bligh wrote:
> Do you propose that the colour state be a per-querier per-name attribute
> (in which case it's going to be defeated by a distributed attack)

I'm not dead-set against NSEC[23], but I'm seeing an inconsistency
between two different lines of argument for hashed nsec records:

"DNSSEC makes enumeration too easy. We need hashed nsec records."
"But hashed nsec records won't make it that much harder to enumerate."
"That's okay; security is all about raising the bar for attackers."

"DNSSEC makes enumeration too easy. We need hashed nsec records."
"But you can make DNSSEC enumeration harder through clever tricks."
"Oh, no, that will never work; people will just use armies of zombies
to conduct their enumeration."

Perhaps it could be argued that hashed nsec records raise the bar much
higher than implementation-specific defenses can, but I'm not wholly
convinced that's true.

(I continue to believe that the most practical way to deal with the
enumeration problem is to allow domains to punt on authenticated
denial. But that idea doesn't seem very popular.)

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.