[dns-operations] [Ext] Signing on the fly and UltraDNS

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jan 5 05:03:13 UTC 2021

On Tue, Jan 05, 2021 at 04:52:07AM +0000, Paul Hoffman wrote:

> >> ~.anynameyouwans~.house.gov. 882 IN	NSEC	anynameyouwant!.house.gov. RRSIG NSEC
> >> !~.house.gov.		882	IN	NSEC	-.house.gov. RRSIG NSEC
> > 
> > Consequently, these choices are largely rational, whether they're
> > "optimal" is a matter of what one chooses to prioritise.
> That all seems correct. However, I brought the issue to this mailing
> list, instead of to the UltraDNS folks, because I am using tools that
> expect host names instead of domain names (in this case, dig); now I
> have to write shims around them. Other signing-on-the-fly mechanisms
> might cause similar issues for dig or other tools.

Indeed anyone else who has been getting away with assuming ~LDH names in
NSEC RRs should be prepared for this, and perhaps even more surprising
formats.  For example, I can elicit "\\\@.house.gov" as an NSEC right
bound from this domain, so escaping/unescaping may be required...

I've also found a way to walk the zone anyway, so the whole charade is
mostly pointless.  It would be far better to just use the real names,
take advantage of aggressive negative caching, and ignore the zone-
walking non-problem.


More information about the dns-operations mailing list