[dns-operations] Possibly-incorrect NSEC responses from many RSOs

Peter van Dijk peter.van.dijk at powerdns.com
Tue Mar 2 13:23:19 UTC 2021

On Sat, 2021-02-27 at 17:06 +0000, Paul Hoffman wrote:
> > Additionally, we expect this may bring some new attention to the
> > way in which authoritative name servers respond to queries of type
> > NSEC.  Some implementations respond with referrals, while others
> > respond with an NSEC RR in the Answer section.  Verisign will be
> > pleased to work with the community if there are ambiguities in the
> > relevant RFCs (e.g. 4035) that would benefit from clarification,
> > as current behavior beyond this subset of our name servers suggests.
> The text in Section 3 of RFC 4035 is:
>    A security-aware name server that receives a DNS query that does not
>    include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
>    treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and
>    MUST NOT perform any of the additional processing described below.
> The "treat ... as it would any other RRset" seems to say that if an authoritative server gets a query for <tld>/NSEC for a name that has an NSEC record in the zone, that NSEC record should appear in the Answer section.

That text appears to have been written for the general case of
'querying for data that is authoritative in a zone', ignoring the very
specific case of 'at a zone cut' that the different (root) server
responses are about. In an earlier thread (linked a few lines below),
no conclusion was reached on which behaviour is correct, or more
correctly, it was argued that neither behaviour is wrong, even if some
people had their preferences.

My suggestion (seriously): prohibit NSEC and RRSIG queries. They are
ambiguous and nobody has any use for their output anyway. Not
supporting them can really simplify some implementations as well (I
submit RFC 8482 as exhibit A.)

, Mark Andrews says 'it is pretty pointless to query for NSEC records',
and I agree.

Further down the thread we are in right now, it is clearly argued that
RRSIG queries are pointless. PowerDNS (authoritative) has been replying
REFUSED to RRSIG queries for years, and only two things noticed. (1) a
Nagios plugin (it was fixed) (2) a registry with weird pre-delegation
checks (it was fixed). We're not aware of any trouble otherwise.

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list