1 / 7

draft-ietf-dnsext-nsec3-02

draft-ietf-dnsext-nsec3-02. Ben Laurie Roy Arends DNSEXT@ 63 nd IETF. Changes from -01. Lesser salt requirement. “all salt values must be equal” to “must at least be one salt value which is the same for all NSEC3 records”

thalia
Télécharger la présentation

draft-ietf-dnsext-nsec3-02

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. draft-ietf-dnsext-nsec3-02 Ben Laurie Roy Arends DNSEXT@ 63nd IETF

  2. Changes from -01 • Lesser salt requirement. • “all salt values must be equal” to “must at least be one salt value which is the same for all NSEC3 records” • Clarified that the wireformat of the next hashed ownername is binary and not base32 (like the ownername). • Better algorithm description for constructing NSEC3 records. • Rewrote section 6.2: now uses proper labels and simpler wording • Rewrote section 6.4: the crypto text represents reality better then the last version

  3. Changes from -01 • Signalling hash truncation: simply truncate the hashed ownername and its corresponding next hashed ownername. • Clarified DoS issues when using a high iterations value. • Included an example zone, example responses and corresponding clarifying text.

  4. Input from WG • the lack of specification of a signaling mechanism for indicating nsec3 rather than nsec • See –trans and –ter • Will include pointers in version -03 • which hash algorithms are required / mandatory • 0 (identity), 1 (sha-1) and possibly a new (sha-256-trunc). • We acknowledge current concerns about sha-1. • We understand the downgrade attack vector when using ‘optional’ hash algorithms or ‘future’ hash algorithms

  5. Input from WG • Rolling from nsec to nsec3 and vice-versa • Will be addressed in version -03

  6. Tools • NSEC3 capable signer exist, • based on Net::DNS and Net::DNS::SEC • Includes a lib for NSEC3 • NSEC3 capable server exist, • Authoritative server built from scratch • Built for testing extreme corner cases • Tools are ment for protocol testing • Patches for BIND are in the make.

  7. Further work • nsec-nsec3 rollover • Signalling mechanism • Required hash algs • More tools

More Related