Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id 376452D20571 for ; Wed, 3 Sep 2014 21:32:13 +0000 (UTC) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id DE366349414 for ; Wed, 3 Sep 2014 21:32:11 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C5FEB160068 for ; Wed, 3 Sep 2014 21:34:53 +0000 (UTC) Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 9B328160064 for ; Wed, 3 Sep 2014 21:34:53 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id ECFBB1E4E161 for ; Thu, 4 Sep 2014 07:32:08 +1000 (EST) Delivered-To: bind9-bugs@bugs.isc.org Subject: wildcard + optout + ad X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 Return-Path: X-Original-To: bind9-bugs@bugs.isc.org Date: Thu, 04 Sep 2014 07:32:08 +1000 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org Message-ID: <20140903213208.ECFBB1E4E161@rock.dv.isc.org> To: bind9-bugs@isc.org From: Mark Andrews X-RT-Original-Encoding: ascii content-type: text/plain; charset="utf-8" Content-Length: 760 Opt-Out Considerations: Note that with or without Opt-Out, an insecure delegation may be undetectably altered by an attacker. Because of this, the primary difference in security when using Opt-Out is the loss of the ability to prove the existence or nonexistence of an insecure delegation within the span of an Opt-Out NSEC3 RR. In particular, this means that a malicious entity may be able to insert or delete RRs with unsigned names. These RRs are normally NS RRs, but this also includes signed wildcard expansions (while the wildcard RR itself is signed, its expanded name is an unsigned name). -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org