[Dnssec-deployment] opt out in leaf zones (was: DNSSEC for .nz, status update)

[Andrew Sullivan]

On Fri, Nov 25, 2011 at 09:13:28PM +0100, Peter Koch wrote:

> I'm not sure I understand you correctly, but why would 'opt-out'
> make NSEC3 more of a privacy feature than 'vanilla' NSEC3?

It doesn't.  That was precisely my point.  When you get into a meeting
where someone is determined to grand-stand rather than get work done,
the "feature" isn't technical at all.  It's a social feature (just as
NSEC3 in most leaf zones is).

> The usefulness of NSEC3 in the standard APEX+"www"+"mail" zone
> can be questioned already but opt-out in a leaf zone not only
> may not save much, it could also add the risk of loss of authenticated
> denial of existence

Yes.  It would be bad to _use_ this feature in practice, IMO, but if
you had someone who was bleating on about people being able to
enumerate the zone, and who somehow got it into mind that an attacker
could do something tricky to calculate the NSEC3 span, you could use
the availability of opt-out to show that DNSSEC does not cause any of
the claimed vulnerabilities.  Having shown that, my bet is that the
entire conversation would move onto something more useful (like,
hopefully, when to break for lunch) and you'd never actually have to
worry about the problem of whether to use NSEC3 (with or without
opt-out) to "protect" a leaf zone of just a few easily guessable
names.  

I suppose now that the DNSSEC train has left the station, this sort of
half-informed line of argument is not likely to happen so much any
more.  (And of course, I assure you that this entire notion is
completely theoretical and has nothing to do with any conversation I
ever had with anyone.)

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.