[dns-operations] Signing on the fly and UltraDNS
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jan 5 03:44:43 UTC 2021
On Tue, Jan 05, 2021 at 02:39:27AM +0000, Paul Hoffman wrote:
> Greetings again. Those of us who research DNSSEC adoption in the real
> world are being a bit stymied by some of the sign-on-the-fly systems,
> such as this one, apparently from UltraDNS. (Similar results are given
> for any nonexistent name in house.gov, such as "www1".)
These are certainly *interesting* choices, but the result is a valid
denial of existence, which for some reason chooses to optimise to defend
against zone walking (of a zone whose content is entirely predictable,
and likely a matter of public record, ...), rather than improved
negative caching. Not a choice I'd make for this zone, but on a purely
technical level, the proofs work.
If the zone is known a priori to only contain regular LDH names and the
occasional "*" or "_", then the possible character range of "real" names
is a subset of:
!…*…-…0–9…A–Z…_…a–z…~
with the two endpoints excluded. In which case, any actual successor,
in lexical order, of some label "foo" (<62 octets long) sorts after
"foo!", and its predecessor sorts before "~.fon~".
> ~.anynameyouwans~.house.gov. 882 IN NSEC anynameyouwant!.house.gov. RRSIG NSEC
> !~.house.gov. 882 IN NSEC -.house.gov. RRSIG NSEC
Consequently, these choices are largely rational, whether they're
"optimal" is a matter of what one chooses to prioritise.
--
Viktor.
More information about the dns-operations
mailing list