[DNSOP] How does NSEC record(s) prove the Name Error?

[Joey Deng <qiaoyu_deng@apple.com>]

Hi Folks,

I have a very basic question about NSEC record in DNSSEC validation:

How does NSEC record(s) prove the Name Error?

In [RFC 4035 5.4. Authenticated Denial of Existence](https://datatracker.ietf.org/doc/html/rfc4035#section-5.4), it says:

>    o  If the requested RR name matches the owner name of an
>       authenticated NSEC RR, then the NSEC RR's type bit map field lists
>       all RR types present at that owner name, and a resolver can prove
>       that the requested RR type does not exist by checking for the RR
>       type in the bit map.  If the number of labels in an authenticated
>       NSEC RR's owner name equals the Labels field of the covering RRSIG
>       RR, then the existence of the NSEC RR proves that wildcard
>       expansion could not have been used to match the request.
> 
>    o  If the requested RR name would appear after an authenticated NSEC
>       RR's owner name and before the name listed in that NSEC RR's Next
>       Domain Name field according to the canonical DNS name order
>       defined in [RFC4034 <https://datatracker.ietf.org/doc/html/rfc4034>], then no RRsets with the requested name exist
>       in the zone.  However, it is possible that a wildcard could be
>       used to match the requested RR owner name and type, so proving
>       that the requested RRset does not exist also requires proving that
>       no possible wildcard RRset exists that could have been used to
>       generate a positive response.
> 

I can understand the first point, because it is an exact name matching. However, what makes me feel confused is the second one:

If the question name appears in-between the current owner name and the next owner name of the NSEC record, which means that there is no exact name matching:
We should prove that
> no possible wildcard RRset exists that could have been used to generate a positive response.

But it does not describe how to prove it,

What are possible wildcard RRsets for a given name?

My understanding about possible wildcard RRsets for a given name are all the possible sources of synthesis.
For example, the possible wildcard RRsets that can be used to answer question wwww.ietf.org <http://wwwwww.ietf.org/> AAAA are:
*.ietf.org <http://ietf.org/>
*.org
* (but I think root can never be a wildcard, so this is impossible)

Is my understanding correct?

————————————————————————————————————————————————————————————————————————

For example, if I send a DNS query for wwww.ietf.org <http://wwwwww.ietf.org/> with DO/CD bit set, there will be two NSEC records returned:

```
$ dig "wwww.ietf.org" AAAA +dnssec +cdflag +tcp @1.1.1.1

; <<>> DiG 9.10.6 <<>> wwww.ietf.org AAAA +dnssec +cdflag +tcp @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34013
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;wwww.ietf.org.			IN	AAAA

;; AUTHORITY SECTION:
ietf.org.		1800	IN	SOA	ns0.amsl.com. glen.amsl.com. 1200000537 1800 1800 604800 1800
ietf.org.		1800	IN	RRSIG	SOA 5 2 1800 20221019014909 20211019005139 40452 ietf.org. GUaWdfXoPWOjb+/1w5Dtn8VoeemBYXdDIQui365JuuIBkEC4YKFLb+m+ u8YJ+cbnTzDb768HkTX8AbWaupZVR2FLn2r06hf6YruVi5jRjzExYLQ6 22Rn8TCvNpNRBZ7fyEcBd9m3aacGr+2iBXgYL9QRXag0tSAAW5oxjI8H CcQLLylwGKDvQv2sNIQLxZlkYFXa+swBOuFQdT8MmymOKjV1d+p3s+S0 1HdUb7JAR2vTK/UVib5zfyXGiQcpD6F3XOQNVTY2dgc2ywAqoudANVmz Rm9rql12MALn2hu5HwrfC0djzXxo6Ry8I0KLmRtAsDoz4ie95Oh1Bnt4 qUhJLA==
wwwtest.ietf.org.	1800	IN	NSEC	xml2rfc.ietf.org. CNAME RRSIG NSEC
wwwtest.ietf.org.	1800	IN	RRSIG	NSEC 5 3 1800 20221019015021 20211019005139 40452 ietf.org. regwKawm6O9BAaHVyBICHjPlGiwDWoXO8OaqH4zJOOgAglrAMXajbEmx XHJsbq3DVEVGkU8NSQJxmGYjklyKzmMbIBpt7+RaXKT7WIGd/zRjSlnI gWSztB6gWTMQq98vQKeFgrt5X8a10p6C36gtJh5sGFq8FpiAvKoKuGO8 tyWKxux7pEQhlhTySr7ipRe8qmGDpy4H+8bkGqvJ7UJ0f3A366bZyD2Q XLdTG4DUrNWt8wKK0FiL2851PegU8FdQb0IXOlBHNF6qXiKCIhBLbK4W 3O3UYKsNLhYPBYuWNGZQ2mlEsfgUC9ddBU1trmMEObm3E+1tR/jemSYA uF+S7Q==
ietf.org.		1800	IN	NSEC	_dmarc.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF
ietf.org.		1800	IN	RRSIG	NSEC 5 2 1800 20221019015032 20211019005139 40452 ietf.org. PiCNEGBSBbC/ALNR5ebDwk1wQGMH/l6MtV5ZAGYl9M1wf43NrqHapDlU AP2E07FsPIyo9PcWui67PidLgVA4e0rRJbyHK2B92tEeprZbxSOCeIFi NWiLl1oCZt+IQCCnFlzJkbwk2MWOVRYxUdQfmWk0QZZZtRr1c/i4VwPU MAVqCORkGpc6W6LLiTITLphe7X0NHb7e41n8J06tPh1a6GmRYRJCy41c F26Bf6GcEJBpNTvlNuirimbhvjL4Ax+FHBe5MA/Tjp4K1AeUIA0ibBVI 20o14zUqSsph67/Snz9fdpJ/dsvP9QwTNLTKR6Jxofi/ArWEBEheXsm+ pkZTRA== 
```

The two returned NSEC records are:
wwwtest.ietf.org. -> xml2rfc.ietf.org.
ietf.org. -> _dmarc.ietf.org.

If we follow the steps described by [RFC 4035 5.4. Authenticated Denial of Existence](https://datatracker.ietf.org/doc/html/rfc4035#section-5.4), we will find that:

wwwtest.ietf.org. -> xml2rfc.ietf.org. tells us that the exact name match for wwww.ietf.org does not exist, since it appears in-between the two names. Therefore, the remaining ietf.org. -> _dmarc.ietf.org. NSEC should be used to prove that “no possible wildcard RRset exists that could have been used to generate a positive response” for the name wwww.ietf.org <http://wwww.ietf.org/>.

Therefore, my question is:
How can ietf.org. -> _dmarc.ietf.org NSEC be used to prove that there is no wildcard record for the name wwww.ietf.org? Do we need to prove that all the possible sources of synthesis for wwww.ietf.org <http://wwww.ietf.org/> appear in-between ietf.org. and _dmarc.ietf.org <http://dmarc.ietf.org/>?

Or do we only need to prove that *.ietf.org <http://ietf.org/> appears in-between ietf.org. and _dmarc.ietf.org <http://dmarc.ietf.org/>? If so why do we choose *.ietf.org <http://ietf.org/> instead of *.org or *?

Thanks.

--
Joey Deng