[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Apr 15 23:54:36 UTC 2019
On Mon, Apr 15, 2019 at 07:40:03PM -0400, Shumon Huque wrote:
> > 5.3.4. Authenticating a Wildcard Expanded RRset Positive Response
> >
> > If the number of labels in an RRset's owner name is greater than the
> > Labels field of the covering RRSIG RR, then the RRset and its
> > covering RRSIG RR were created as a result of wildcard expansion.
> > Once the validator has verified the signature, as described in
> > Section 5.3, it must take additional steps to verify the non-
> > existence of an exact match or closer wildcard match for the query.
>
> It doesn't say: also make sure there are no contradictory facts being
> asserted in the response, such as an NSEC record that denies the
> existence of the wildcard that was deduced to exist by means of the
> RRSIG in the answer section. It seems that resolvers could make any
> number of quite complex deductions of this nature, but why would an
> implementer go out of their way to do all that extra work? On the other
> hand, this zone is clearly broken, so there is probably benefit in a
> popular resolver flagging its responses as broken, if it acts as an
> incentive to get this fixed.
This could be an interaction with aggressive nsec.
--
Viktor.
More information about the dns-operations
mailing list