Re: [DNSOP] What is the purpose of NSEC3 "closest encloser" proofs?

Mark Andrews <marka@isc.org> Fri, 09 October 2020 01:43 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B1A3A11B8 for <dnsop@ietfa.amsl.com>; Thu, 8 Oct 2020 18:43:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rYNqctN-cyV4 for <dnsop@ietfa.amsl.com>; Thu, 8 Oct 2020 18:43:11 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC6C13A11D7 for <dnsop@ietf.org>; Thu, 8 Oct 2020 18:43:11 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 117A33AB007; Fri, 9 Oct 2020 01:43:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EA497160073; Fri, 9 Oct 2020 01:43:10 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D56F4160072; Fri, 9 Oct 2020 01:43:10 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dgMU4fqRO-bm; Fri, 9 Oct 2020 01:43:10 +0000 (UTC)
Received: from [172.30.42.67] (unknown [49.2.101.160]) by zmx1.isc.org (Postfix) with ESMTPSA id 7D816160071; Fri, 9 Oct 2020 01:43:07 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHPuVdVRN9M8XPt3Vi8c1jTU5qSo38nK4vhGRX-i+UA82-DJrw@mail.gmail.com>
Date: Fri, 9 Oct 2020 12:43:00 +1100
Cc: Nick Johnson <nick=40ethereum.org@dmarc.ietf.org>, dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0B675494-0680-45C7-B30B-442B0011E16D@isc.org>
References: <CAFz7pMveOPbJDrLu2d8idr0xChMSCzcg_Uh_RZjPuQ9a02YpNg@mail.gmail.com> <CAHPuVdX8S0-0a_0Daxn79zh=XD-q702YTXaK4YDpxRS_eTKhKQ@mail.gmail.com> <CAHPuVdVRN9M8XPt3Vi8c1jTU5qSo38nK4vhGRX-i+UA82-DJrw@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zJ_YBuarrHLDieKyA5AKmpmqrpk>
Subject: Re: [DNSOP] What is the purpose of NSEC3 "closest encloser" proofs?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 01:43:16 -0000

Shumon, you where correct the first time.  A closest encloser can be a ENT

a.b.c.d.example A ...
a.e.x A ...

with QNAME a.c.c.d.example the closest encloser is the ENT c.d.example.

> On 9 Oct 2020, at 12:32, Shumon Huque <shuque@gmail.com> wrote:
> 
> On Thu, Oct 8, 2020 at 8:59 PM Shumon Huque <shuque@gmail.com> wrote:
> On Thu, Oct 8, 2020 at 7:46 PM Nick Johnson <nick=40ethereum.org@dmarc.ietf.org> wrote:
> I'm reading RFC 5155, and I'm a bit puzzled by the requirement for "closest encloser" proofs to prove nonexistence of a domain. Given that the RFC requires generating NSEC3 records on empty non-terminals, isn't it sufficient to examine a single NSEC3 record to prove nonexistence?
> 
> For example, if I want to prove the nonexistence of a.b.c.example, isn't it sufficient to validate an NSEC3 record that covers that name and is one level higher (eg, somehash.b.c.example)? Why do I need to prove the closest-encloser with a second NSEC3 record?
> 
> -Nick Johnson
> 
> The closest encloser proof actually *is* what proves that the name doesn't exist. But the other reason is that for NXDOMAIN proofs, you also need to prove that the name could not have been synthesized by a wildcard. The hypothetical wildcard that might have synthesized a response for the name is constructed by prepending the asterisk label to the closest encloser.
> 
> Let's use your example and say 'a.b.c.example' doesn't exist in the zone example.
> 
> Let's also say the longest ancestor of this name that actually does exist in the zone is 'c.example' (which could be an empty non-terminal or not -- either way, it will have an NSEC3 record matching the hash of the name).
> 
> One small correction to my sentence above: strike the phrase about empty non-terminals - the closest encloser can't be an ENT of course (otherwise it wouldn't exist either!).
> 
> Shumon.
> 
> The NXDOMAIN proof consists of:
> 
> ### Closest Encloser proof:
> * the NSEC3 RR that matches the closest encloser name 'c.example'
> * the NSEC3 RR that covers the next closer name 'b.c.example'
> 
> This proves that b.c.example does not exist. This automatically means that all names under it, including a.b.c.example, do not exist.
> 
> ### Wildcard non existence proof:
> * the NSEC3 RR that covers the wildcard at the closest encloser, namely '*.c.example'.
> 
> Shumon Huque
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org