[dns-operations] Possibly-incorrect NSEC responses from many RSOs

Roy Arends roy at dnss.ec
Tue Mar 2 13:49:42 UTC 2021

> On 2 Mar 2021, at 13:23, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> On Sat, 2021-02-27 at 17:06 +0000, Paul Hoffman wrote:
>>> Additionally, we expect this may bring some new attention to the
>>> way in which authoritative name servers respond to queries of type
>>> NSEC.  Some implementations respond with referrals, while others
>>> respond with an NSEC RR in the Answer section.  Verisign will be
>>> pleased to work with the community if there are ambiguities in the
>>> relevant RFCs (e.g. 4035) that would benefit from clarification,
>>> as current behavior beyond this subset of our name servers suggests.
>> The text in Section 3 of RFC 4035 is:
>>   A security-aware name server that receives a DNS query that does not
>>   include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
>>   treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and
>>   MUST NOT perform any of the additional processing described below.
>> The "treat ... as it would any other RRset" seems to say that if an authoritative server gets a query for <tld>/NSEC for a name that has an NSEC record in the zone, that NSEC record should appear in the Answer section.
> That text appears to have been written for the general case of
> 'querying for data that is authoritative in a zone', ignoring the very
> specific case of 'at a zone cut' that the different (root) server
> responses are about.

The “treat … as it would any other RRset” refers to the DNS Query. It must treat the DNS query for type RRSIG, DNSKEY and NSEC as it would treat a query for any other RRset. 

So, if the query is for a type at a name at a delegation point, return the delegation point. If the query is for type A, NS, AAAA, MX, NSEC, DNSKEY, type12345, etc, etc, return the delegation point.

If this is not a delegation point, and NSEC happens to exist at the name, return NSEC, otherwise NODATA. If the name doesn’t exist, return NXDOMAIN.

It does NOT say “return NSEC” if the query is for NSEC.

Hope this helps.


More information about the dns-operations mailing list