Re: [dns-operations] NXDOMAIN vs NODATA for suffixes of existing name
Edward Lewis <Ed.Lewis@neustar.biz> Mon, 17 April 2006 14:47 UTC
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: [dns-operations] NXDOMAIN vs NODATA for suffixes of existing name
Date: Mon, 17 Apr 2006 10:47:46 -0400
Lines: 72
References: <87psjkfrg5.fsf@mid.deneb.enyo.de> <a06200700c065419a45c0@[192.168.1.101]> <87slogcpgi.fsf@mid.deneb.enyo.de> <a06200700c0654f9c8402@[192.168.1.101]> <36258.1145039666@sa.vix.com> <87y7y4a7f9.fsf@mid.deneb.enyo.de> <68956.1145283088@sa.vix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: namedroppers@ops.ietf.org, Florian Weimer <fw@deneb.enyo.de>
X-From: owner-namedroppers@ops.ietf.org Mon Apr 17 16:55:36 2006
Return-path: <owner-namedroppers@ops.ietf.org>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00, DNS_FROM_RFC_POST autolearn=no version=3.1.1
In-Reply-To: <68956.1145283088@sa.vix.com>
To: paul@vix.com
X-Scanned-By: MIMEDefang 2.56 on 66.92.146.160
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Message-ID:
Message-ID: <20140418072157.2560.24189.ARCHIVE@ietfa.amsl.com>
I don't get the point. (I need clarification.) I will say I don't understand the last paragraph of 3.1.3.2 in 4035 (as quoted by Florian). When it comes to name errors, empty non-terminals need not apply. NSEC3 breaks rules. It has to. The reason is that when the design choices were make for NSEC (nee NXT), a set of rules were included assuming NXT and making NXR more reasonable. Deviating from NSEC into NSEC3 means upending design decisions and rules set forth. I don't see the conflict between DNSSEC and the wild card document. Maybe this is the missed point: You don't need an NSEC at a name to prove it has no RRsets. example. NSEC a.example. soa ns nsec dnskey rrsig a.example. NSEC a.b.example. a txt nsec rrsig a.b.example. NSEC c.example. a txt nsec rrsig c.example. NSEC example. ns nsed rrsig These records indicate that there are 5 names in the zone, 4 of which have records. "b.example." does not have any records, not even an NSEC. A query for "b.example. A" would get 0 answer records, and "a.example. NSEC a.b.example. a txt nsec rrsig" in the authority section. The verifier can infer that b.example exists (since a.b.example exists) and that by "pointing" past b.example, the NSEC says there is nothing to see at b.example. At 14:11 +0000 4/17/06, paul@vix.com wrote: >folks, i think florian's got a valid point here. > >> From: Florian Weimer <fw@deneb.enyo.de> >> To: dns-operations@lists.oarci.net >> Date: Mon, 17 Apr 2006 11:16:26 +0200 >> Subject: Re: [dns-operations] NXDOMAIN vs NODATA for suffixes of existing >> name >> >> * Paul Vixie: >> >> > to me, b.example.net exists because that's what we decided for dnssec, >> >> Post-RFC-4035, I assume? Because RFC 4035 says, in section 3.1.32: >> >> | Note that this form of response includes cases in which SNAME >> | corresponds to an empty non-terminal name within the zone (a name >> | that is not the owner name for any RRset but that is the parent name >> | of one or more RRsets). >> >> This also follows from the prohibition of NSEC generation for empty >> non-terminals (section 2.3, "An NSEC record (and its associated RRSIG >> RRset) MUST NOT be the only RRset at any particular owner name."), as >> you would need such an NSEC RR for responding with NODATA. This means >> that the draft-ietf-dnsext-wcard-clarify (thanks Peter and Edward!) is >> in conflict with DNSSEC (as a simple update of the DNSSEC spec is not >> possible). >> >> Ah, draft-ietf-dnsext-nsec3 handles this case differently, matching the >> draft-ietf-dnsext-wcard-clarify. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Nothin' more exciting than going to the printer to watch the toner drain... -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… paul
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Edward Lewis
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Rob Austein
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Roy Arends
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Roy Arends
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Edward Lewis
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Rob Austein
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Edward Lewis
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Roy Arends
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Rob Austein
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Edward Lewis
- Re: [dns-operations] NXDOMAIN vs NODATA for suffi… Rob Austein