Someone proposed this approach to prevent NSEC zone walking while doing
static signing:
Divide your zone into the public names and the private names
Sign the two sets separately
Throw away the NSEC records from the private set, then merge them, so the
names from private set only have RRSIGs, the public set have RRSIGs and NSEC
The idea is that if you look up private names you'll get the RRSIG to
prove it's real, but if you look up anything else, the NSECs won't give
them away.
I can think of at least two reasons this won't work. One is that if you
query for a private name but an RRTYPE that doesn't exist at that name
(for example, you query for AAAA but it only has A) there's no NSEC to
prove that the name exists but the RRTYPE doesn't. Another is that if
your cache does RFC 8198 NXDOMAIN synthesis, it'll give you NXDOMAIN for
private names that happen to be in a cached NSEC range.
Am I missing anything? Asking for a friend.
R's,
John
PS: You don't have to tell me about NSEC3 or white lies or black lies, I
know they exist and they work. I wrote a white lie server for abuse.net
in about 400 lines of python. It wasn't hard.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
