dnsext-4----Page:13
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
|
Open Issues NSEC3 Issue 9: Potential DoS on Resolvers Issue: A potential DoS condition exists in which the operator of a malicious server could select an impractically high number of iterations for the NSEC3 RRs in an signed zone. Discussion: One solution would be to permit resolvers to set an upper limit for the number of iterations that would be permitted in an NSEC3 RR, and to treat NSEC3 RRs with values exceeding this as insecure or bogus. This could be accomplished at the implementation level alone, or it could be governed by a recommendation or standard. Resolution: We agree that it is desirable for resolvers to set an upper limit. We propose to submit the following two questions for consideration by the IETF Security Area Directorate: Should an upper limit be specified in the standard? If so, should the upper limit be specified in a separate document so that the it may be updated without having to re-publish the entire standard. NSEC3 Status |