[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

T.Suzuki tss at reflection.co.jp
Wed Jan 17 06:04:08 UTC 2018 

On Mon, 15 Jan 2018 10:46:11 +1100
Mark Andrews <marka at isc.org> wrote:

> NSEC3 records for ENT only need to exist for parent domains of records that
> provably exist in a NSEC3 zone.  Insecure delegations do not, by default, provably
> exist when OPTOUT is in use.
> 
> dnssec-signzone adds NSEC3 records for ENT when there is a child domain that
> provably exists.
> 
> Note: there is no mechanism in dnssec-signzone to say add a NSEC3 record for this
> insecure delegation despite that being permitted by NSEC3. 
> 
> Mark

I can not understand. What is "provably" ? Where should I read in RFC.
<foobar>.gov.example is the name in the example zone.
And there is the ex.gov.example zone bellow example zone.

One more,
How gov.ac is?

% dig gov.ac @8.8.8.8 +nocd

; <<>> DiG 9.9.5 <<>> gov.ac @8.8.8.8 +nocd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26753
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gov.ac.			IN A

;; Query time: 195 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 17 15:03:36 JST 2018
;; MSG SIZE  rcvd: 35

% dig gov.ac @8.8.8.8 +cd

; <<>> DiG 9.9.5 <<>> gov.ac @8.8.8.8 +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52425
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gov.ac.			IN A

;; AUTHORITY SECTION:
ac.			899 IN SOA a0.nic.ac. noc.afilias-nst.info. (
				1497206749 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				2764800    ; expire (4 weeks 4 days)
				900        ; minimum (15 minutes)
				)

;; Query time: 328 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 17 15:03:54 JST 2018
;; MSG SIZE  rcvd: 98

-- 
------------------------------------------------------------------------------
T.Suzuki

More information about the dns-operations mailing list