IETF Logo Mail Archive

Re: [dnsext] RFC 4470 bitmap (Was Re: Authenticated denial of existence...)

Matthijs Mekking <matthijs@nlnetlabs.nl> Fri, 22 November 2013 15:52 UTC

Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC471AE3D8 for <dnsext@ietfa.amsl.com>; Fri, 22 Nov 2013 07:52:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.431
X-Spam-Level:
X-Spam-Status: No, score=-100.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQUdN4Gw4Xqj for <dnsext@ietfa.amsl.com>; Fri, 22 Nov 2013 07:52:31 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2011AE3CE for <dnsext@ietf.org>; Fri, 22 Nov 2013 07:52:30 -0800 (PST)
Received: from [IPv6:2001:981:19be:1:70cd:5583:2262:3804] ([IPv6:2001:981:19be:1:70cd:5583:2262:3804]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.7/8.14.4) with ESMTP id rAMFqJxj086986 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Fri, 22 Nov 2013 16:52:21 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
Authentication-Results: open.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Filter: OpenDKIM Filter v2.8.3 open.nlnetlabs.nl rAMFqJxj086986
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1385135541; bh=Zg5dLPcGjATszOgDYxKbZoubGlOlSdaywy4LLmlsFTA=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=fXSJVog4yTtCJ4Z4BCT44O1aJw+7jbPJNqPi4Qx06MzPKUtDu+aya5A+/J4mRN+QF RM8dRiBA0ZPjbxEYm3UnZacRvBG3CzbH2iTAxwGyOuBatWd6AxMNVje8RSaOonGZvs WkG8BsonDGZr8qOsg8d8McqXP2Zbrj42usaXxqMY=
Message-ID: <528F7DB4.10102@nlnetlabs.nl>
Date: Fri, 22 Nov 2013 16:52:20 +0100
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Tony Finch <dot@dotat.at>
References: <CFD6B510-D70E-4308-BF3E-B2E7C2ADCBEB@nominum.com> <alpine.LSU.2.00.1311201202570.11548@hermes-2.csi.cam.ac.uk> <528F2737.1020002@nlnetlabs.nl> <alpine.LSU.2.00.1311221359460.11548@hermes-2.csi.cam.ac.uk>
In-Reply-To: <alpine.LSU.2.00.1311221359460.11548@hermes-2.csi.cam.ac.uk>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Fri, 22 Nov 2013 16:52:21 +0100 (CET)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] RFC 4470 bitmap (Was Re: Authenticated denial of existence...)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2013 15:52:32 -0000

On 11/22/2013 03:06 PM, Tony Finch wrote:
> Matthijs Mekking <matthijs@nlnetlabs.nl> wrote:
>>
>> Main point: I cannot find requirements for the owner name. In other
>> words, that may be an existing name.
> 
> There are two cases: "instantiated names" which are names that exist in
> the zone, in which case the owner name of the NSEC record matches the
> owner name of the other records (para. 2 of sect. 3); and proofs of
> nonexistence generated on-demand (para. 3 of sect. 3):
> 
>    Whenever an NSEC record is needed to prove the non-existence of a
>    name, a new NSEC record is dynamically produced and signed.  The new
>    NSEC record has an owner name lexically before the QNAME but
>    lexically following any existing name and a "next name" lexically
>    following the QNAME but before any existing name.
> 
>> But the RFC explicitly says:
>>
>>    The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
>>    bits set and SHOULD NOT have any other bits set.
> 
> That is the first sentence of para. 4 of sect. 3 which refers to the
> on-demand NSEC records described in the previous paragraph.

It is not clear to me that this sentence only refers to the on-demand
NSEC records. Especially because the sentence talks about "generated
NSEC record's type bitmap" and in para. 1 of sect 3. it is mentioned
that for instantiated names, NSEC records can still be generated and
signed in advance.

But yes, it makes sense that the rule only applies to non-existent names.

Best regards,
  Matthijs

> 
>> (By the way, I think the requirement should be relaxed, because a
>> minimally covering NSEC record may also be used in a NODATA response)
> 
> For NODATA responses you use the NSEC record of an instantiated name,
> which can be minimally covering as described in para. 2 of sect. 3.
> 
> Tony.
>

v2.39.1 | Report a Bug | By Email | System Status