DiscussionPoints - nsec3 - Trac

Wiki Navigation

Loading of NSEC3 zone files with unknown hash algorithms

The proposal is to issue a warning in the logfile of the server that loads the file. With the option to let implementors to refuse answer queries...

An alternative proposal is to completely refuse to load the zone. Two nameservers serving the same zone but with different answers to queries is bad.

Direct queries for NSEC3 records

Allow those? The draft allows them.

(Query is type nsec3 and the hashname, answer with nsec3 if exists is nsec3-record. If not....)

Discussion leads to treat nsec3 hashnames as non-existing/refused names.

What are the arguments for having answers to type nsec3 quries?

Probably a fair statement: In this workshop there was no need to make direct nsec3 queries. Implementors: does this (refuse those queries) make implementation easier? A: yes and no...

Why has nsec3 an owner name? Where to put the owner name? Define the rr-format? Lots of code depends on the current format.

Propose to the list: Direct NSEC3 queries replies nxdomain.

Signalling

In order to distinguish an nsec3 signed zone from an nsec signed zone so that the nsec3 signed zone is seen as an unsigned zone as a dnssec-bis to the current resolvers you need to have some sort of signalling method. How do you make sure going from an dnssec-bis nsec signed zone to an nsec3 signed zone ...

Weiler: "How do you stop a 4033/4/5 resolver from attempting to validate (and treating as bogus) an NSEC3 zone that it reached via a secure delegation from an NSEC zone?"

Typecode roll is expensive and crazy. Avoid it.

DS digest algorithm roll.

EDNS version increment ... messy.

... We end up with:

Message digest and algorithm "change".

http://www.iana.org/assignments/dns-sec-alg-numbers

Signalling has to be in the draft, authors agree they can do it.

Use algorithm codes for signalling.

Geoff are documenting the issue and the arguments, later posting it to namedroppers.

Number of iterations

0 iterations means that we iterate once, but that is not in the draft. We must fix the wording.

Length of hash names

The proposal is to add one octet for length specification. ( http://www.ops.ietf.org/lists/namedroppers/namedroppers.2005/msg00683.html )

Download in other formats:

Plain Text