[dns-operations] (In)correct handling of wildcard NS at zone apex.
Robert Edmonds
edmonds at mycre.ws
Sat May 26 04:41:22 UTC 2018
Viktor Dukhovni wrote:
> An interesting edge-case is mishandled by the nameservers at
> nazwa.pl. They seem to have a few customers with signed zones
> that are empty apart from a wildcard NS just below the zone
> apex.
Aren't wildcard NSes formally undefined in the DNSSEC specification?
4.2. NS RRSet at a Wildcard Domain Name
With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now in
place, the semantics of a wildcard domain name owning an NS RRSet has
come to be poorly defined. The dilemma relates to a conflict between
the rules for synthesis in part 'c' and the fact that the resulting
synthesis generates a record for which the zone is not authoritative.
In a DNSSEC signed zone, the mechanics of signature management
(generation and inclusion in a message) have become unclear.
Lewis Standards Track [Page 14]
RFC 4592 DNSEXT WCARD July 2006
Salient points of the working group discussion on this topic are
summarized in section 4.2.1.
As a result of these discussions, there is no definition given for
wildcard domain names owning an NS RRSet. The semantics are left
undefined until there is a clear need to have a set defined, and
until there is a clear direction to proceed. Operationally,
inclusion of wildcard NS RRSets in a zone is discouraged, but not
barred.
4.2.1. Discarded Notions
Prior to DNSSEC, a wildcard domain name owning a NS RRSet appeared to
be workable, and there are some instances in which it is found in
deployments using implementations that support this. Continuing to
allow this in the specification is not tenable with DNSSEC. The
reason is that the synthesis of the NS RRSet is being done in a zone
that has delegated away the responsibility for the name. This
"unauthorized" synthesis is not a problem for the base DNS protocol,
but DNSSEC in affirming the authorization model for DNS exposes the
problem.
Outright banning of wildcards of type NS is also untenable as the DNS
protocol does not define how to handle "illegal" data.
Implementations may choose not to load a zone, but there is no
protocol definition. The lack of the definition is complicated by
having to cover dynamic update [RFC2136] and zone transfers, as well
as loading at the master server. The case of a client (resolver,
caching server) getting a wildcard of type NS in a reply would also
have to be considered.
Given the daunting challenge of a complete definition of how to ban
such records, dealing with existing implementations that permit the
records today is a further complication. There are uses of wildcard
domain name owning NS RRSets.
One compromise proposed would have redefined wildcards of type NS to
not be used in synthesis, this compromise fell apart because it would
have required significant edits to the DNSSEC signing and validation
work. (Again, DNSSEC catches unauthorized data.)
With no clear consensus forming on the solution to this dilemma, and
the realization that wildcards of type NS are a rarity in operations,
the best course of action is to leave this open-ended until "it
matters".
--
Robert Edmonds
More information about the dns-operations
mailing list