[DNSOP] Conflict between "Aggressive Use" and "Wildcards"

Edward Lewis <edward.lewis@icann.org> Mon, 05 March 2018 20:19 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id CD87D12D77D for <dnsop@ietfa.amsl.com>; Mon, 5 Mar 2018 12:19:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WHLVlOH2YWmP for <dnsop@ietfa.amsl.com>; Mon, 5 Mar 2018 12:19:16 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89BC3129515 for <dnsop@ietf.org>; Mon, 5 Mar 2018 12:19:16 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org ( by PMBX112-W1-CA-1.pexch112.icann.org ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 5 Mar 2018 12:19:14 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Mon, 5 Mar 2018 12:19:14 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Conflict between "Aggressive Use" and "Wildcards"
Thread-Index: AQHTtL86H3YqliCSq0GZC7/nm6bl8w==
Date: Mon, 5 Mar 2018 20:19:13 +0000
Message-ID: <9D52601D-006E-4E6E-BA91-D4A7D6EC65C5@icann.org>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.a.0.180210
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <57A14EB097A92F44ADD18B56EA3E335E@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QbpQS2if88qhf2pgim1qZt3YlgI>
Subject: [DNSOP] Conflict between "Aggressive Use" and "Wildcards"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 20:19:19 -0000

A few weeks ago, I came across a blog post describing a "security hole" in so-called "NSEC Aggressive Use" implementations.


After some exchanges of email with the blog author, I (probably not alone, but not wanting to speak for anyone else) came to a conclusion that there's a conflict between the documents "Aggressive Use of DNSSEC-Validated Cache" [1] and "The Role of Wildcards in the Domain Name System" [2].

In the latter document, this text appears in " NSEC RRSet at a Wildcard Domain Name" (section 4.7):
#    "Synthesized NSEC RRs will not be harmful as they will never be used in
#    negative caching or to generate a negative response [RFC2308]."

From this, the former document ought to list it as updating the latter document, and explain how.  This seems (said without confirming) to be the origin of the implementation difficulties.

I tried (once, a while ago) to contact the editors of the "Aggressive Use" document, but haven't gotten a response.  Suggestions?

[1] https://www.rfc-editor.org/rfc/rfc8198.txt
[2] https://www.rfc-editor.org/rfc/rfc4592.txt