IETF Logo Mail Archive

Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

Mark Andrews <marka@isc.org> Tue, 27 October 2015 00:00 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE6EA1B315A for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2015 17:00:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0G52D6JnTt1y for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2015 17:00:02 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BF961B315B for <dnsop@ietf.org>; Mon, 26 Oct 2015 17:00:01 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id E48121FCA9F; Mon, 26 Oct 2015 23:59:57 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 81F86160035; Tue, 27 Oct 2015 00:00:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 71519160071; Tue, 27 Oct 2015 00:00:06 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id EEBomYojKHNa; Tue, 27 Oct 2015 00:00:06 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 2EBB2160035; Tue, 27 Oct 2015 00:00:06 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 122BB3B2735C; Tue, 27 Oct 2015 10:59:54 +1100 (EST)
To: Ray Bellis <ray@bellis.me.uk>
From: Mark Andrews <marka@isc.org>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <5753B8EC-60EC-44F3-872E-94766558EE50@redbarn.org> <20151025104914.GA23386@sources.org> <4681433.xxzpcmHjWT@sume.local> <562DED9E.40305@bellis.me.uk>
In-reply-to: Your message of "Mon, 26 Oct 2015 09:08:46 -0000." <562DED9E.40305@bellis.me.uk>
Date: Tue, 27 Oct 2015 10:59:54 +1100
Message-Id: <20151026235954.122BB3B2735C@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/458T0xrXHH96bWz_hWCeKnajCJs>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2015 00:00:04 -0000

In message <562DED9E.40305@bellis.me.uk>, Ray Bellis writes:
> On 26/10/2015 06:39, Paul Vixie wrote:
> > sanity check, someone?
> > =
> 
> > i believe that in dnssec, an empty non-terminal has a proof that the =
> 
> > name exists, and a proof that there are no RR's. thus, vastly =
> 
> > different from the signaling for NXDOMAIN.
> 
> RFC 4035 =A73.1.3.2 appears to say differently :(
> 
> The subject of that section is "Including NSEC RRs: Name Error
> Response", and it says:
> 
> "Note that this form of response includes cases in which SNAME
>  corresponds to an empty non-terminal name within the zone (a name
>  that is not the owner name for any RRset but that is the parent name
>  of one or more RRsets)."

It's a heads up to say you need to be very careful here.  The NSEC
record provides both noexistance and potentially existance proofs
for names in the range on the NSEC.  It's not saying the ENT get
Name Error.

> Paul and I already exchange mail off-list - I think we're both equally
> surprised at the above.
> 
> Clarification from the authors of the rationale for this would be useful
> here!
> 
> Ray
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email