Speaker
Description
Authenticated Denial of Existence is one of the more challenging aspects of the DNSSEC protocol to understand. It is also one of the leading causes of implementation bugs in the field (as I've described at past OARC talks). Over time, a number of distinct variants of authenticated denial have emerged further complicating the landscape. This presentation will survey and compare the various authenticated denial of existence methods in use today, like NSEC, NSEC3, NSEC/NSEC3 White Lies, Compact Denial of Existence, etc. It will provide a brief history of protocol development in this area, discuss various negative response synthesis techniques, and tradeoffs involving traffic & computational costs, and relative security properties, like zone enumeration protection. Lastly it will quickly give an overview of implementation and deployment status of these various techniques in the field.
| Talk duration | 20 Minutes (+5 for Q&A) |
|---|
