[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
Paul Hoffman
paul.hoffman at icann.org
Sun Feb 28 19:47:37 UTC 2021
On Feb 28, 2021, at 11:35 AM, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
>
> On 2/28/21 3:24 AM, Paul Hoffman wrote:
>> On Feb 27, 2021, at 5:32 PM, Mark Andrews <marka at isc.org>
>> wrote:
>>
>>> It says that RRSIGs exist at that name.
>>>
>> Could you say more? I don't understand the context here.
>>
>> For example, "dig @f.root-servers.net -4 nl rrsig" gives a reply with no Answer section.
>>
> Explicit QTYPE=RRSIG is a gray area, I believe.
If that's true, then it argues for an update to the simple sentences in RFC 4035.
> In some cases it could be a DoS vector [1], and I don't know of a use case for such a query, so it makes sense not to answer (in full). In your particular example, if you ask for DS nl, you will get all RRSIGs for that name-type pair. Overall, it's even explicitly standardized that RRSIGs do not form an RRset; they're more like an appendage to the RRset they sign.
>
> [1] https://tools.ietf.org/html/rfc8482#section-7 [tools.ietf.org]
That RFC (a) doesn't update RFC 4025 and (b) is only about QTYPE of "ANY".
--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2584 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210228/3a2e96d3/attachment.bin>
More information about the dns-operations
mailing list