[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
paul.hoffman at icann.org
Sun Feb 28 19:47:37 UTC 2021
On Feb 28, 2021, at 11:35 AM, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
> On 2/28/21 3:24 AM, Paul Hoffman wrote:
>> On Feb 27, 2021, at 5:32 PM, Mark Andrews <marka at isc.org>
>>> It says that RRSIGs exist at that name.
>> Could you say more? I don't understand the context here.
>> For example, "dig @f.root-servers.net -4 nl rrsig" gives a reply with no Answer section.
> Explicit QTYPE=RRSIG is a gray area, I believe.
If that's true, then it argues for an update to the simple sentences in RFC 4035.
> In some cases it could be a DoS vector , and I don't know of a use case for such a query, so it makes sense not to answer (in full). In your particular example, if you ask for DS nl, you will get all RRSIGs for that name-type pair. Overall, it's even explicitly standardized that RRSIGs do not form an RRset; they're more like an appendage to the RRset they sign.
>  https://tools.ietf.org/html/rfc8482#section-7 [tools.ietf.org]
That RFC (a) doesn't update RFC 4025 and (b) is only about QTYPE of "ANY".
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2584 bytes
Desc: not available
More information about the dns-operations