On Sat, Sep 14, 2019 at 02:31:14PM +0200, Stephane Bortzmeyer wrote: > On Wed, Sep 11, 2019 at 02:32:35PM -0400, > Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote > a message of 37 lines which said: > > > Finally, in security considerations, there's no mention of > > the potential security impact of stale negative responses. > > It's not true, the last two paragraphs of section 10 do it. May be, as > reported by an AD, add that an attacker may dDoS authoritative name > servers just to exploit this possibility? I read those, but there's no mention (perhaps unnecessary?) of the security impact of stale *negative* (i.e. NXDOMAIN or NODATA) for TLSA records used in Opportunistic DANE TLS (e.g. RFC7672). When DANE TLSA records are *initially* published for a domain, and the RRSIGs of previously published NSEC/NSEC3 records are not yet expired (typically 14 to 30 days), stale NXDOMAIN RRs + signatures for the TLSA records downgrade SMTP Opporunistic DANE TLS to just opportunistic TLS. The exposure goes away once the TLSA records have been in place long enough for all stale NSEC records to expire. Granted, perhaps the limited exposure timeframe makes this corner case not worthy of discussion, but it is differs materially from the stale *positive* cache cases (address RRs, ...), and could be worth mentioning, if not too "esoteric". -- Viktor.
