[dns-operations] (In)correct handling of wildcard NS at zone apex.

Robert Edmonds edmonds at mycre.ws
Sat May 26 04:41:22 UTC 2018

Viktor Dukhovni wrote:
> An interesting edge-case is mishandled by the nameservers at
> nazwa.pl.  They seem to have a few customers with signed zones
> that are empty apart from a wildcard NS just below the zone
> apex.

Aren't wildcard NSes formally undefined in the DNSSEC specification?

4.2.  NS RRSet at a Wildcard Domain Name

   With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now in
   place, the semantics of a wildcard domain name owning an NS RRSet has
   come to be poorly defined.  The dilemma relates to a conflict between
   the rules for synthesis in part 'c' and the fact that the resulting
   synthesis generates a record for which the zone is not authoritative.
   In a DNSSEC signed zone, the mechanics of signature management
   (generation and inclusion in a message) have become unclear.

Lewis                       Standards Track                    [Page 14]
RFC 4592                      DNSEXT WCARD                     July 2006

   Salient points of the working group discussion on this topic are
   summarized in section 4.2.1.

   As a result of these discussions, there is no definition given for
   wildcard domain names owning an NS RRSet.  The semantics are left
   undefined until there is a clear need to have a set defined, and
   until there is a clear direction to proceed.  Operationally,
   inclusion of wildcard NS RRSets in a zone is discouraged, but not

4.2.1.  Discarded Notions

   Prior to DNSSEC, a wildcard domain name owning a NS RRSet appeared to
   be workable, and there are some instances in which it is found in
   deployments using implementations that support this.  Continuing to
   allow this in the specification is not tenable with DNSSEC.  The
   reason is that the synthesis of the NS RRSet is being done in a zone
   that has delegated away the responsibility for the name.  This
   "unauthorized" synthesis is not a problem for the base DNS protocol,
   but DNSSEC in affirming the authorization model for DNS exposes the

   Outright banning of wildcards of type NS is also untenable as the DNS
   protocol does not define how to handle "illegal" data.
   Implementations may choose not to load a zone, but there is no
   protocol definition.  The lack of the definition is complicated by
   having to cover dynamic update [RFC2136] and zone transfers, as well
   as loading at the master server.  The case of a client (resolver,
   caching server) getting a wildcard of type NS in a reply would also
   have to be considered.

   Given the daunting challenge of a complete definition of how to ban
   such records, dealing with existing implementations that permit the
   records today is a further complication.  There are uses of wildcard
   domain name owning NS RRSets.

   One compromise proposed would have redefined wildcards of type NS to
   not be used in synthesis, this compromise fell apart because it would
   have required significant edits to the DNSSEC signing and validation
   work.  (Again, DNSSEC catches unauthorized data.)

   With no clear consensus forming on the solution to this dilemma, and
   the realization that wildcards of type NS are a rarity in operations,
   the best course of action is to leave this open-ended until "it

Robert Edmonds

More information about the dns-operations mailing list