[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Apr 15 23:54:36 UTC 2019

On Mon, Apr 15, 2019 at 07:40:03PM -0400, Shumon Huque wrote:

> > 5.3.4.  Authenticating a Wildcard Expanded RRset Positive Response
> >
> >    If the number of labels in an RRset's owner name is greater than the
> >    Labels field of the covering RRSIG RR, then the RRset and its
> >    covering RRSIG RR were created as a result of wildcard expansion.
> >    Once the validator has verified the signature, as described in
> >    Section 5.3, it must take additional steps to verify the non-
> >    existence of an exact match or closer wildcard match for the query.
> It doesn't say: also make sure there are no contradictory facts being
> asserted in the response, such as an NSEC record that denies the
> existence of the wildcard that was deduced to exist by means of the
> RRSIG in the answer section. It seems that resolvers could make any
> number of quite complex deductions of this nature, but why would an
> implementer go out of their way to do all that extra work? On the other
> hand, this zone is clearly broken, so there is probably benefit in a
> popular resolver flagging its responses as broken, if it acts as an
> incentive to get this fixed.

This could be an interaction with aggressive nsec.


More information about the dns-operations mailing list