[dns-operations] Signing on the fly and UltraDNS

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jan 5 03:44:43 UTC 2021

On Tue, Jan 05, 2021 at 02:39:27AM +0000, Paul Hoffman wrote:

> Greetings again. Those of us who research DNSSEC adoption in the real
> world are being a bit stymied by some of the sign-on-the-fly systems,
> such as this one, apparently from UltraDNS. (Similar results are given
> for any nonexistent name in house.gov, such as "www1".)

These are certainly *interesting* choices, but the result is a valid
denial of existence, which for some reason chooses to optimise to defend
against zone walking (of a zone whose content is entirely predictable,
and likely a matter of public record, ...), rather than improved
negative caching.  Not a choice I'd make for this zone, but on a purely
technical level, the proofs work.

If the zone is known a priori to only contain regular LDH names and the
occasional "*" or "_", then the possible character range of "real" names
is a subset of:


with the two endpoints excluded.  In which case, any actual successor,
in lexical order, of some label "foo" (<62 octets long) sorts after
"foo!", and its predecessor sorts before "~.fon~".

> ~.anynameyouwans~.house.gov. 882 IN	NSEC	anynameyouwant!.house.gov. RRSIG NSEC
> !~.house.gov.		882	IN	NSEC	-.house.gov. RRSIG NSEC

Consequently, these choices are largely rational, whether they're
"optimal" is a matter of what one chooses to prioritise.


More information about the dns-operations mailing list