[dns-operations] nsec3param rdata differs from nsec3 rdata
Mark Andrews
marka at isc.org
Wed Sep 25 02:56:41 UTC 2013
4.1.2. Flag Fields
The Opt-Out flag is not used and is set to zero.
All other flags are reserved for future use, and must be zero.
NSEC3PARAM RRs with a Flags field value other than zero MUST be
ignored.
In message <52424C07.6010505 at cnnic.cn>, =?UTF-8?B?546L5qWg?= writes:
> Hi to all,
>
> Perhaps a silly question.
> As described in RFC5155, the RDATA for NSEC3PARAM mirrors the first four
> fields in the NSEC3 RR.
> I've look up the nsec3param of com.:
>
> ; <<>> DiG 9.8.0 <<>> @8.8.8.8 com nsec3param
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58060
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;com. IN NSEC3PARAM
>
> ;; ANSWER SECTION:
> com. 21600 IN NSEC3PARAM 1 0 0 -
>
> Its flags is 0.
>
> Then I look up a non-existent domain with dnssec:
>
> ; <<>> DiG 9.8.0 <<>> @8.8.8.8 kjsadjasoiudasoiudsa.com. a +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31699
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;kjsadjasoiudasoiudsa.com. IN A
>
> ;; AUTHORITY SECTION:
> com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1380076365
> 1800 900 604800 86400
> com. 900 IN RRSIG SOA 8 1 900 20131002023245 20130925012245 8795 com.
> dzXDVF1gsUVzYk7KdMOwqO5yJReBb8jaymYPaj5ZLsvOv7kHEuzMY7qv
> dUxXjAA+qqm9lImXfWIu90U2dK6XTIumnZhLhzgfYYP2pQ5r+pZMPb1r
> peWjscHmxSaE/7iOBykI/AROcaNNxEZfsgQHZUInOvofC+f9FV99KivK 7Ig=
> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21600 IN NSEC3 1 1 0 -
> CK0RFQAOES8CTVNVNH4G6Q85NOQAQ8I9 NS SOA RRSIG DNSKEY NSEC3PARAM
> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21600 IN RRSIG NSEC3 8 2 86400
> 20131001044158 20130924033158 8795 com.
> c+W4fkLqnTtu6XL7Bicwsm9YL0xrAfiO6JIhWqDVaxUAtwLFVcHUIgAE
> 28lwK0cKBoH2l4kUQ1br4f1+0UKrENaIEyYNckVcriJoIgTkJVvOzEDZ
> UQuTXt1kEIG185puDKsO/tJKEChZUbflVm1uvmXQbvbFJvifF2RZ1ueV UW4=
> PCD87LHN4A34E9JB9656PD359AT67C4B.com. 21600 IN NSEC3 1 1 0 -
> PCDIRKJF2VGC5MP5DCTMBAAB53F3MRVP NS DS RRSIG
> PCD87LHN4A34E9JB9656PD359AT67C4B.com. 21600 IN RRSIG NSEC3 8 2 86400
> 20131001060008 20130924045008 8795 com.
> OfTJRPiB200QnS0otRCE2M5YN9subWIwemVJ0w28fV5exxJJdVatU1po
> ZWnQ1/qTioun+oj2oiqGvV5VgLKBqMTyyK0JtybNTrCMqBKUsCTIGx/h
> JXb3gukiFzdBW4FWFREWXQmXsBcUa4CfGPFIJQHRbaeBhkFtEQ+77gA8 moI=
> 3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com. 21600 IN NSEC3 1 1 0 -
> 3RL6P2SC3PCQ1OCQBP3075NNJVOSMU0I NS DS RRSIG
> 3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com. 21600 IN RRSIG NSEC3 8 2 86400
> 20130928042044 20130921031044 8795 com.
> p9pSXNoMwYs56eCywWKKZnvex/lmjMniRaFsfQhPhdpzdC/9YGg2fkJl
> wFGrv2LcCnfpRWAFVRlVv+rTZ+CW+3/6j3xHYZi0fJ3Ex7nQifHCnzqz
> ZoIgzwc+c2TSvZMw1F0tdJYPGm63zn8vxn6ZWwJLnSI2T27gkEUTlOX4 ZGE=
>
> Notice that the flags of nsec3 is 1.
>
> Someone could explain me why these 2 flags are different??
> Thank you in advance.
>
> --
>
>
> ----------------------------------------
> ====
>
> CNNIC
> :(8610)-58813129
> : www.cnnic.cn
> .
> :44
> 3496100080
> ----------------------------------------
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list