Re: [DNSOP] What is the purpose of NSEC3 "closest encloser" proofs?

Matthijs Mekking <matthijs@pletterpet.nl> Fri, 09 October 2020 06:24 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C48F13A09C9 for <dnsop@ietfa.amsl.com>; Thu, 8 Oct 2020 23:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pgy3XQLEyf5a for <dnsop@ietfa.amsl.com>; Thu, 8 Oct 2020 23:24:32 -0700 (PDT)
Received: from lb3-smtp-cloud8.xs4all.net (lb3-smtp-cloud8.xs4all.net [194.109.24.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 456CD3A09C4 for <dnsop@ietf.org>; Thu, 8 Oct 2020 23:24:31 -0700 (PDT)
Received: from cust-69fe625f ([IPv6:fc0c:c103:c4a6:cf3c:d2f9:56fe:3f93:cb0b]) by smtp-cloud8.xs4all.net with ESMTPSA id QlpJkFs1RTHgxQlpLkJBqw; Fri, 09 Oct 2020 08:24:29 +0200
To: dnsop@ietf.org
References: <CAFz7pMveOPbJDrLu2d8idr0xChMSCzcg_Uh_RZjPuQ9a02YpNg@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <02f566a7-725e-0b29-7f6d-3aa5683ae015@pletterpet.nl>
Date: Fri, 9 Oct 2020 08:24:25 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAFz7pMveOPbJDrLu2d8idr0xChMSCzcg_Uh_RZjPuQ9a02YpNg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfPB+bZ+DWj0MZsdwD/fOmRyeDgEzoi6QOaN6EV5ATuvbvMkCpsu1haxclzzm4ntPabPhMdtbPdGBrHq2wh7lx7QcBHJkVZCfgKtsuYwxVUzZuQWw1zhQ yYbFG9Q+0aMH1uAe7fTkU5PrEO/UoI+QN80Kca2+KCjvlXPzrsL+6GMfOcLqpVZykTmyd/DBZS/eSOs+/wwUdGLpJQU+WdFhdqR/OVKCG0INiwQT24Yc/6PO qSNGo1VwUaKWUPAZZ/lUBcVLS2gb19kN39kDOoCWgtI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XoOLaCvBilpSz9UspfmRCy0UvQs>
Subject: Re: [DNSOP] What is the purpose of NSEC3 "closest encloser" proofs?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 06:24:35 -0000

Hello Nick,

The closest encloser proof is explained in RFC 7129, Section 5.5.

    https://tools.ietf.org/html/rfc7129#section-5.5

Best regards,

Matthijs

On 10/9/20 1:46 AM, Nick Johnson wrote:
> I'm reading RFC 5155, and I'm a bit puzzled by the requirement for
> "closest encloser" proofs to prove nonexistence of a domain. Given that
> the RFC requires generating NSEC3 records on empty non-terminals, isn't
> it sufficient to examine a single NSEC3 record to prove nonexistence?
> 
> For example, if I want to prove the nonexistence of a.b.c.example, isn't
> it sufficient to validate an NSEC3 record that covers that name and is
> one level higher (eg, somehash.b.c.example)? Why do I need to prove the
> closest-encloser with a second NSEC3 record?
> 
> -Nick Johnson
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>