Re: [DNSOP] Real world examples that contain DNSSEC secure `Wildcard Answer` or `Wildcard No Data`
Petr Špaček <pspacek@isc.org> Fri, 22 October 2021 08:20 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7AE93A0918 for <dnsop@ietfa.amsl.com>; Fri, 22 Oct 2021 01:20:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=kHqZP7ti; dkim=pass (1024-bit key) header.d=isc.org header.b=QBYpo0Ym
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16xTsdR0IbQK for <dnsop@ietfa.amsl.com>; Fri, 22 Oct 2021 01:20:24 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F7FD3A0913 for <dnsop@ietf.org>; Fri, 22 Oct 2021 01:20:23 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 430553AB089 for <dnsop@ietf.org>; Fri, 22 Oct 2021 08:20:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1634890822; bh=Yteq/pBKJPynY6T6jT529CV4eqalsCmIeW1ze5Qls3Q=; h=Date:To:References:From:Subject:In-Reply-To; b=kHqZP7ti1P/CFUy9ajVH9dAGSDED/imDzYf8+KDaD+VY5SjPzptSqBu1hO3piH8QX MO3b9dRz0gl7FSniHAtEi2p+Y9cYCz9IzodjxOoKrwin0ScoI78bjrF3I//HgLRi4t cLBYGllwfL9RJGCM4Q/KC+NEZvWx7FLulmEnvg3M=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 33829F023A7 for <dnsop@ietf.org>; Fri, 22 Oct 2021 08:20:22 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 05FF0F023A9 for <dnsop@ietf.org>; Fri, 22 Oct 2021 08:20:22 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 05FF0F023A9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1634890822; bh=Cojr7nAVX2HoWaPdmzxRweeqBv3uLAzJLDZbL7H7eqk=; h=Message-ID:Date:MIME-Version:To:From; b=QBYpo0YmerpGr/kgyNVknMw2q4dbe86+avJzoOMeK9QioFDn4ciK8O3P6gheM/mUX BIwfLPqDEVQsYQi80NlJ71/BBsxXkgsBsg9g3y/y2G91Vsk6Q2dR/DPQ0u5iTcOyg7 J/dqtnCtaosJdN5ssWbravpHtkhNsoQlc3/+qEKU=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id w14OkaEVF8iX for <dnsop@ietf.org>; Fri, 22 Oct 2021 08:20:21 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-254-49.net.upcbroadband.cz [86.49.254.49]) by zimbrang.isc.org (Postfix) with ESMTPSA id 86F92F023A7 for <dnsop@ietf.org>; Fri, 22 Oct 2021 08:20:21 +0000 (UTC)
Message-ID: <59a01044-f845-69b4-ae34-59bf1607cfb7@isc.org>
Date: Fri, 22 Oct 2021 10:20:19 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0
Content-Language: en-US
To: dnsop@ietf.org
References: <A2B60F90-20BC-47D7-A4B7-0381ADF569F6@apple.com>
From: Petr Špaček <pspacek@isc.org>
In-Reply-To: <A2B60F90-20BC-47D7-A4B7-0381ADF569F6@apple.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KEmPo8F1dhyCnW9z8Aeiy9lMm1M>
Subject: Re: [DNSOP] Real world examples that contain DNSSEC secure `Wildcard Answer` or `Wildcard No Data`
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2021 08:20:30 -0000
On 22. 10. 21 4:34, Joey Deng wrote: > Hello folks, > > On [RFC4035 3.1.3. Including NSEC RRs in a Response](https://datatracker.ietf.org/doc/html/rfc4035#section-3.1.3), it describes four different cases when NSEC records should be included in a response: > 1. No Data > 2. Name Error > 3. Wildcard Answer > 4. Wildcard No Data. > > I am trying to find real world examples to help me better understand the cases above, I found some examples for case 1 and case 2: > > 1. No Data > ``` > dig www.ietf.org.cdn.cloudflare.net. MX +dnssec +cdflag +tcp Beware, DNS responses from Cloudlare are not exactly "canonical" because Cloudflare is using so-called black-lies: https://blog.cloudflare.com/black-lies/ It is a valid approach, but not the thing you read about in the RFC 403x series. For responses "as usual" have a look at these answers: > 1. No Data isc.org WKS > 2. Name Error surelynonexistentname.isc.org A > 3. Wildcard Answer surelynonexistentname.blog.root.cz A > 4. Wildcard No Data. surelynonexistentname.blog.root.cz WKS Here is another another set of examples for NSEC3 (RFC 5155): > 1. No Data nic.cz WKS > 2. Name Error surelynonexistentname.nic.cz A > 3. Wildcard Answer surelynonexistentname.pages.nic.cz A > 4. Wildcard No Data. surelynonexistentname.pages.nic.cz WKS I hope it helps. -- Petr Špaček @ ISC