Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

Samuel Weiler <weiler@tislabs.com> Tue, 27 October 2015 12:04 UTC

Return-Path: <weiler@tislabs.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 452B71A877D for <dnsop@ietfa.amsl.com>; Tue, 27 Oct 2015 05:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.311
X-Spam-Level:
X-Spam-Status: No, score=-1.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jb33USqLqxsH for <dnsop@ietfa.amsl.com>; Tue, 27 Oct 2015 05:04:45 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92CFB1A8773 for <dnsop@ietf.org>; Tue, 27 Oct 2015 05:04:45 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id CCD6428B003D; Tue, 27 Oct 2015 08:04:44 -0400 (EDT)
Received: from nova.tislabs.com (nova.tislabs.com [10.66.1.77]) by nova.tislabs.com (Postfix) with ESMTP id 9FED51F8035; Tue, 27 Oct 2015 08:04:44 -0400 (EDT)
Date: Tue, 27 Oct 2015 08:04:44 -0400 (EDT)
From: Samuel Weiler <weiler@tislabs.com>
To: dnsop <dnsop@ietf.org>
Message-ID: <alpine.LRH.2.03.1510270756560.8276@tislabs.com>
User-Agent: Alpine 2.03 (LRH 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/nTzydFhxCnqYkElNKQJBsuAK62Q>
Cc: Paul Vixie <paul@redbarn.org>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2015 12:04:46 -0000

> sanity check, someone?
>
> i believe that in dnssec, an empty non-terminal has a proof that the 
> name exists, and a proof that there are no RR's. thus, vastly different 
> from the signaling for NXDOMAIN.

Yes, it does.  With NSEC3 it is an explicit proof.  With NSEC you have to 
read between the lines.

NSEC3: see RFC5155 sections 7.1 and B.2.1.

NSEC: if foo.example is an empty non-terminal, then there will exist an 
NSEC record such as "echo.example NSEC alpha.foo.example ..." - the ENT's 
name is part of the "next domain name".

-- Sam