IETF Logo Mail Archive

[dnsext] RFC 4470 bitmap (Was Re: Authenticated denial of existence...)

Matthijs Mekking <matthijs@nlnetlabs.nl> Fri, 22 November 2013 09:43 UTC

Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 059891ACAD7 for <dnsext@ietfa.amsl.com>; Fri, 22 Nov 2013 01:43:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.431
X-Spam-Level:
X-Spam-Status: No, score=-100.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vbl-xXsvQi1x for <dnsext@ietfa.amsl.com>; Fri, 22 Nov 2013 01:43:31 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 90F111ACC86 for <dnsext@ietf.org>; Fri, 22 Nov 2013 01:43:31 -0800 (PST)
Received: from [IPv6:2001:981:19be:1:70cd:5583:2262:3804] ([IPv6:2001:981:19be:1:70cd:5583:2262:3804]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.7/8.14.4) with ESMTP id rAM9hKHL074178 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <dnsext@ietf.org>; Fri, 22 Nov 2013 10:43:20 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
Authentication-Results: open.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Filter: OpenDKIM Filter v2.8.3 open.nlnetlabs.nl rAM9hKHL074178
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1385113403; bh=254uypD+2hMmWEj5ypZzelxPK9gnu3CGB+1vg3FHscU=; h=Date:From:To:Subject:References:In-Reply-To; b=SkgOjKEWCfgTcF5n5cOndN4GDJZzfXkz7MvwwtA7fz+Ww6lUSgJsaitz4sH8y44QE 2UPIK8jFKMHUIIHgAJWuycsvUKjsE6l4AC+ntVMgbr3LTOVTzUAFpJpU+8Pfp0qJL6 0OdNDtu5OYNF9sGEmCvOrvDTUTs8g9rqPDNZNWjk=
Message-ID: <528F2737.1020002@nlnetlabs.nl>
Date: Fri, 22 Nov 2013 10:43:19 +0100
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: dnsext@ietf.org
References: <CFD6B510-D70E-4308-BF3E-B2E7C2ADCBEB@nominum.com> <alpine.LSU.2.00.1311201202570.11548@hermes-2.csi.cam.ac.uk>
In-Reply-To: <alpine.LSU.2.00.1311201202570.11548@hermes-2.csi.cam.ac.uk>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Fri, 22 Nov 2013 10:43:21 +0100 (CET)
Subject: [dnsext] RFC 4470 bitmap (Was Re: Authenticated denial of existence...)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2013 09:43:36 -0000

As a result of writing down text relating RFC 4470 in
draft-gieben-auth-denial-of-existence-dns, I come to the following
observation:

RFC 4470 sets requirements for the next owner name in the generated NSEC
record. Specifically, the next owner name is lexically before the actual
next existing name in the zone. The next owner name must be lexically
after the QNAME. The span may not cover any existing names.

Main point: I cannot find requirements for the owner name. In other
words, that may be an existing name.

But the RFC explicitly says:

   The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
   bits set and SHOULD NOT have any other bits set.

That is only true if the owner name does not exist. So either this
requirement should be relaxed, or there should be an additional
requirement that the generated NSEC owner name may not exist.

(By the way, I think the requirement should be relaxed, because a
minimally covering NSEC record may also be used in a NODATA response)

Best regards,
  Matthijs


On 11/20/2013 01:12 PM, Tony Finch wrote:
> Ted Lemon <ted.lemon@nominum.com> wrote:
> 
>> Is this on anyone's radar?   What are your thoughts about it?
>>
>> https://datatracker.ietf.org/doc/draft-gieben-auth-denial-of-existence-dns/
> 
> A really nice and helpful document.
> 
> A suggestion:
> 
> It should discuss RFC 4470 Minimally Covering NSEC Records, and the
> related idea of NSEC3 "white lies" implemented by Dan Kaminsky's
> Phreebird. (I can't immediately find a good description of how the latter
> works.) Both these require on-demand synthesizing and signing of negative
> responses, whereas the mechanisms that Miek's draft currently covers are
> all designed for serving from a pre-signed zone file without requiring
> online private keys.
> 
> Tony.
>

v2.39.1 | Report a Bug | By Email | System Status