[Opendnssec-user] Reverse zones?

Thu Mar 8 12:24:15 UTC 2012

Hi

Not trying to start a flame war, but the logical conclusion is that
for many use cases you
will gain a tiny bit of security by not signing your IPv6 reverse
zones - since the actual impact
of cache poisoning on reverse zones might be more limited than that of
easy enumeration
of the network. :-)

However, everyone placing things in DNS of course has to be aware that
it is public data,
so the "enumeration" threat is IMO something i wouldn't care deeply about.

Best regards,
Jimmy

On Thu, Mar 8, 2012 at 1:14 PM, Olaf Kolkman <olaf at nlnetlabs.nl> wrote:
>
> On Mar 8, 2012, at 12:59 PM, Dick Visser wrote:
>
>>>
>>> While I understand the argument that an IPv4-reverse zone is trivially
>>> enumerated, that will change when IPv6 becomes more common. Naively
>>> trying every IP is just not feasible anymore. In that case NSEC will
>>> actually be helpfull in finding adresses that are assigned.
>
>
> try
>
>
> dig @open.nlnetlabs.nl 0.6.0.2.0.8.b.7.0.1.0.0.2.ip6.arpa.
>
> and
>
> dig @open.nlnetlabs.nl 2.6.0.2.0.8.b.7.0.1.0.0.2.ip6.arpa.
>
>
> The first query gives you NOERROR (and an empty answer session). This means that 0.6.0.2.0.8.b.7.0.1.0.0.2.ip6.arpa. the queried type (A) does not exist at this node, but the node itself does. The tree may have more depth.
>
> The second query gives you NXDOMAIN which means it does not exist and that there are also no subdomains. The domain tree stops here.
>
> Although these answers might be a bit implementation dependend it is trivial to enumerate an IPv6 address tree.
>
> -Olaf
>
>
>
>
>
> ________________________________________________________
>
> Olaf M. Kolkman                        NLnet Labs
> http://www.nlnetlabs.nl/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>