[dns-operations] .net returning glue and NSEC3 records?
ogud at ogud.com
Mon Nov 7 21:28:47 UTC 2011
On 11/7/2011 3:55 PM, Paul Wouters wrote:
> On Mon, 7 Nov 2011, Lutz Donnerhacke wrote:
>>> We noticed that .net is returning glue for items it also proves via
>>> that it does not exist?
>> Nope. They are returing the proof, that they do not know the DS entry.
> My query was for the NS record, not the DS record. While the same record
> proof the non-existence for NS and DS (see below) the query does not
> this proof.
DNSSEC/RFC403x requires that referral include a DS or NSEC proving that
DS does not exist in the authority section.
NSEC3 w/o opt-in is identical in requirement to NSEC
NECE3 with Opt-in requires that the covering NSEC3 record be supplied to
a) the name does not have DS (exact match)
b) The name is in an opt-in span. (no match i.e. name in opt-out span)
>>> lanzarote-immobilie.net. NS dns5.sistema-dns.com.
>>> lanzarote-immobilie.net. NS dns6.sistema-dns.com.
>>> A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. NSEC3 1 1 0 - (
>>> A2003PRAPCHMS9L1A11GMVJ0JNP84A46 NS SOA RRSIG DNSKEY NSEC3PARAM)
>> That proofs, that they do not have "*.net DS" in their zone.
See the string "1 1 0" that is "Hashalg=1, Flags=1, Iterations=0"
Flags=1 ==> Opt-in span.
Thus this NSEC3 record is here in its role as OPT-out proof.
> I'm not sure if that's true. I do not understand what name that has
> is covering. It does not seem to proof the lack of wildecard?
> [paul at bofh paul]$ ldns-nsec3-hash -a 1 -t 0 \*.net.
>>> 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T.net. 86400 IN NSEC3 1 1 0 - (
>>> 6OP5R34VLOJ3Q2K4NMIIGA7N5KBV10K5 NS DS RRSIG
>> That proofs, that they dow not have "lanzarote-immobilie.net DS".
> [paul at bofh paul]$ ldns-nsec3-hash -a 1 -t 0 lanzarote-immobilie.net.
> It seems to proof they have no NS record, and yes also proof they have
> no DS record. So my question remains, why is .net serving NS glue for
> domains that verifiable do not exist?
More information about the dns-operations