[dns-operations] nsec3param rdata differs from nsec3 rdata

Mark Andrews marka at isc.org
Wed Sep 25 02:56:41 UTC 2013


4.1.2.  Flag Fields

   The Opt-Out flag is not used and is set to zero.

   All other flags are reserved for future use, and must be zero.

   NSEC3PARAM RRs with a Flags field value other than zero MUST be
   ignored.


In message <52424C07.6010505 at cnnic.cn>, =?UTF-8?B?546L5qWg?= writes:
> Hi to all,
> 
> Perhaps a silly question.
> As described in RFC5155, the RDATA for NSEC3PARAM mirrors the first four 
> fields in the NSEC3 RR.
> I've look up the nsec3param of com.:
> 
> ; <<>> DiG 9.8.0 <<>> @8.8.8.8 com nsec3param
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58060
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;com. IN NSEC3PARAM
> 
> ;; ANSWER SECTION:
> com. 21600 IN NSEC3PARAM 1 0 0 -
> 
> Its flags is 0.
> 
> Then I look up a non-existent domain with dnssec:
> 
> ; <<>> DiG 9.8.0 <<>> @8.8.8.8 kjsadjasoiudasoiudsa.com. a +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31699
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;kjsadjasoiudasoiudsa.com. IN A
> 
> ;; AUTHORITY SECTION:
> com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1380076365 
> 1800 900 604800 86400
> com. 900 IN RRSIG SOA 8 1 900 20131002023245 20130925012245 8795 com. 
> dzXDVF1gsUVzYk7KdMOwqO5yJReBb8jaymYPaj5ZLsvOv7kHEuzMY7qv 
> dUxXjAA+qqm9lImXfWIu90U2dK6XTIumnZhLhzgfYYP2pQ5r+pZMPb1r 
> peWjscHmxSaE/7iOBykI/AROcaNNxEZfsgQHZUInOvofC+f9FV99KivK 7Ig=
> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21600 IN NSEC3 1 1 0 - 
> CK0RFQAOES8CTVNVNH4G6Q85NOQAQ8I9 NS SOA RRSIG DNSKEY NSEC3PARAM
> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21600 IN RRSIG NSEC3 8 2 86400 
> 20131001044158 20130924033158 8795 com. 
> c+W4fkLqnTtu6XL7Bicwsm9YL0xrAfiO6JIhWqDVaxUAtwLFVcHUIgAE 
> 28lwK0cKBoH2l4kUQ1br4f1+0UKrENaIEyYNckVcriJoIgTkJVvOzEDZ 
> UQuTXt1kEIG185puDKsO/tJKEChZUbflVm1uvmXQbvbFJvifF2RZ1ueV UW4=
> PCD87LHN4A34E9JB9656PD359AT67C4B.com. 21600 IN NSEC3 1 1 0 - 
> PCDIRKJF2VGC5MP5DCTMBAAB53F3MRVP NS DS RRSIG
> PCD87LHN4A34E9JB9656PD359AT67C4B.com. 21600 IN RRSIG NSEC3 8 2 86400 
> 20131001060008 20130924045008 8795 com. 
> OfTJRPiB200QnS0otRCE2M5YN9subWIwemVJ0w28fV5exxJJdVatU1po 
> ZWnQ1/qTioun+oj2oiqGvV5VgLKBqMTyyK0JtybNTrCMqBKUsCTIGx/h 
> JXb3gukiFzdBW4FWFREWXQmXsBcUa4CfGPFIJQHRbaeBhkFtEQ+77gA8 moI=
> 3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com. 21600 IN NSEC3 1 1 0 - 
> 3RL6P2SC3PCQ1OCQBP3075NNJVOSMU0I NS DS RRSIG
> 3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com. 21600 IN RRSIG NSEC3 8 2 86400 
> 20130928042044 20130921031044 8795 com. 
> p9pSXNoMwYs56eCywWKKZnvex/lmjMniRaFsfQhPhdpzdC/9YGg2fkJl 
> wFGrv2LcCnfpRWAFVRlVv+rTZ+CW+3/6j3xHYZi0fJ3Ex7nQifHCnzqz 
> ZoIgzwc+c2TSvZMw1F0tdJYPGm63zn8vxn6ZWwJLnSI2T27gkEUTlOX4 ZGE=
> 
> Notice that the flags of nsec3 is 1.
> 
> Someone could explain me why these 2 flags are different??
> Thank you in advance.
> 
> -- 
> 
>   
> ----------------------------------------
> ====
> 
>  CNNIC
>  :(8610)-58813129
>  : www.cnnic.cn
> .
>  :44
> 3496100080
> ----------------------------------------
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list