[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Paul Hoffman paul.hoffman at icann.org
Sun Feb 28 19:47:37 UTC 2021

On Feb 28, 2021, at 11:35 AM, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
> On 2/28/21 3:24 AM, Paul Hoffman wrote:
>> On Feb 27, 2021, at 5:32 PM, Mark Andrews <marka at isc.org>
>>  wrote:
>>> It says that RRSIGs exist at that name. 
>> Could you say more? I don't understand the context here.
>> For example, "dig @f.root-servers.net -4 nl rrsig" gives a reply with no Answer section.
> Explicit QTYPE=RRSIG is a gray area, I believe.  

If that's true, then it argues for an update to the simple sentences in RFC 4035.

> In some cases it could be a DoS vector [1], and I don't know of a use case for such a query, so it makes sense not to answer (in full).  In your particular example, if you ask for DS nl, you will get all RRSIGs for that name-type pair.  Overall, it's even explicitly standardized that RRSIGs do not form an RRset; they're more like an appendage to the RRset they sign.
> [1] https://tools.ietf.org/html/rfc8482#section-7 [tools.ietf.org]

That RFC (a) doesn't update RFC 4025 and (b) is only about QTYPE of "ANY".

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2584 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210228/3a2e96d3/attachment.bin>

More information about the dns-operations mailing list