Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Query Regarding NSEC RR in DNSSEC
7 views
Skip to first unread message
Gaurav kansal
Feb 14, 2012, 12:23:19 PM2/14/12
to bind-...@lists.isc.org
Dear Team,
We have a Authenticated Response in DNSSEC through trust chain.
Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically.
Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR.
AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain.
So what’s the need of NSEC??????
Thanks n Regards,
GAURAV KANSAL
9910118448
VoIP - 6259
Operation And Routing Unit
NIC , NEW DELHI
Please don't print this e-mail until & unless you really need, it will save Trees on Planet Earth.
IPv4 is Over,
Are your ready for new Network.
Miek Gieben
Feb 14, 2012, 1:29:30 PM2/14/12
to bind-...@lists.isc.org
[ Quoting <gaurav...@nic.in> at 22:53 on Feb 14 in "Query Regarding NSEC..." ]
https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf
grtz Miek
> Dear Team,
>
> We have a Authenticated Response in DNSSEC through trust chain.
>
> Now my question is why we itself need a NSEC when we get response from DNSSEC
> enabled server authentically.
>
>
>
> Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG
> of that RR.
>
> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job will
> be done as we trust that nameserver through trust chain.
>
> So what’s the need of NSEC??????
This is a whitepaper on the subject:
>
> We have a Authenticated Response in DNSSEC through trust chain.
>
> Now my question is why we itself need a NSEC when we get response from DNSSEC
> enabled server authentically.
>
>
>
> Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG
> of that RR.
>
> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job will
> be done as we trust that nameserver through trust chain.
>
> So what’s the need of NSEC??????
https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf
grtz Miek
Spain, Dr. Jeffry A.
Feb 14, 2012, 1:31:45 PM2/14/12
to Gaurav kansal, bind-...@lists.isc.org
> We have a Authenticated Response in DNSSEC through trust chain.
> Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically.
> Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR.
> AND if domain doesn't exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain.
> So what's the need of NSEC??????
Be sure you are not confusing the roles of your stub resolver and the recursive resolver to which it is sending its queries. The recursive resolver needs to analyze DNSSEC data that it gets from various authoritative servers and from its cache. These include DS, DNSKEY, RRSIG, and NSEC records. It then returns an answer to your stub resolver with the AD flag if DNSSEC validation succeeds, or an NXDOMAIN response if DNSSEC validation fails. Your stub resolver doesn't need to see any of the DNSSEC records used in the validation process, but the recursive resolver can't do without them for purposes of DNSSEC validation.
> Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically.
> Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR.
> AND if domain doesn't exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain.
> So what's the need of NSEC??????
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
Chris Buxton
Feb 14, 2012, 2:18:14 PM2/14/12
to Gaurav kansal, bind-...@lists.isc.org
Briefly, the answer is, the NXDOMAIN response could be replayed by a man-in-the-middle attacker. We need to have something to sign, something specific to that query. If we just return the zone's SOA record and its signature, we're still subject to a replay attack. So we need to prove the negative, and that happens by enumerating all the possible positive answers "near" the query.
Regards,
Chris Buxton
BlueCat Networks
On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote:
Dear Team,
We have a Authenticated Response in DNSSEC through trust chain.Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically.Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR.AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain.So what’s the need of NSEC??????
Thanks n Regards,
GAURAV KANSAL
9910118448
VoIP - 6259
Operation And Routing Unit
NIC , NEW DELHIPlease don't print this e-mail until & unless you really need, it will save Trees on Planet Earth.
IPv4 is Over,Are your ready for new Network.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Marco Davids
Feb 14, 2012, 3:02:33 PM2/14/12
to bind-...@lists.isc.org
Hello Gaurav,
You might want to have a look at our whitepaper on 'authenticated denial
of existence' to gain better understanding of this somewhat complicated
aspect of the DNSSEC specification:
https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf
Regards,
--
Marco
>> bind-...@lists.isc.org <mailto:bind-...@lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
You might want to have a look at our whitepaper on 'authenticated denial
of existence' to gain better understanding of this somewhat complicated
aspect of the DNSSEC specification:
https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf
Regards,
--
Marco
>> https://lists.isc.org/mailman/listinfo/bind-users
Chris Thompson
Feb 15, 2012, 11:14:33 AM2/15/12
to Gaurav kansal, bind-...@lists.isc.org
On Feb 14 2012, Gaurav kansal wrote:
>We have a Authenticated Response in DNSSEC through trust chain.
>
>Now my question is why we itself need a NSEC when we get response from
>DNSSEC enabled server authentically.
>
>Means, if a Record exist in DNSSEC, then it replies the answer along with
>RRSIG of that RR.
>
>AND if domain doesn't exist, then it can simply give NXDOMAIN and our job
>will be done as we trust that nameserver through trust chain.
>
>So what's the need of NSEC??????
I think what you have failed to understand here is that there is no idea
>We have a Authenticated Response in DNSSEC through trust chain.
>
>Now my question is why we itself need a NSEC when we get response from
>DNSSEC enabled server authentically.
>
>Means, if a Record exist in DNSSEC, then it replies the answer along with
>RRSIG of that RR.
>
>AND if domain doesn't exist, then it can simply give NXDOMAIN and our job
>will be done as we trust that nameserver through trust chain.
>
>So what's the need of NSEC??????
in DNSSEC of "trusting a nameserver". The security functions end-to-end,
between the zone administrator (she who generates its contents and signs
it) and the validator, not point-to-point.
--
Chris Thompson
Email: ce...@cam.ac.uk
0 new messages