[dns-operations] DNSSec validation issue for .se (missing denial of existence for *.se)

Shreyas Zare shreyas at technitium.com
Tue Jan 11 16:22:07 UTC 2022


Hi,

I was implementing DNSSEC just last month and came across this same issue
and didn't find any specific documentation on it.

However, I came to the conclusion that since the NSEC record that was
returned has the next domain name "acem.a.se" which is a sub domain for the
qname "a.se", its sufficient proof that the "a.se" name is NODATA and so no
wildcard proof is required here.

Regards,
Shreyas Zare
Technitium

On Tue, Jan 11, 2022, 21:26 Hannes Mehnert <hannes at mehnert.org> wrote:

> Hi DNS operators,
>
> since this is my first mail here, I first would like to thank you all
> for the constructive discussions and technical expertise. I'm developing
> a DNS suite in OCaml, a statically typed functional programming language
> [see https://github.com/mirage/ocaml-dns // https://mirageos.org if
> interested], and have learned a lot from lurking on this list. My
> current work item is a recursive resolver.
>
> When I just implemented the denial of existence for DNSSec (with NSEC),
> I stumbled upon the TLD .se that uses NSEC. I mailed earlier to
> registry-default at nic dot se (the hostmaster in the SOA of .se), but
> didn't get a reply.
>
> Of course, I may be wrong with my analysis, if this is the case please
> help me to understand how this should work.
>
> I'm wondering how other validators (public resolvers) deal with the
> following issue, which is a missing denial of existence for *.se: So, a
> request for resource record type A, domain name a.se results in the
> following:
>
> $ dig +dnssec a.se
>
> se.                     5363    IN      SOA catcher-in-the-rye.nic.se.
> registry-default.nic.se. 2022010921 1800 1800 864000 7200
> se.                     5363    IN      RRSIG   SOA 8 1 172800
> 20220122054639 20220109191050 30015 se.  [...]
> _nicname._tcp.se.       6694    IN      NSEC    acem.a.se. SRV RRSIG NSEC
> _nicname._tcp.se.       6694    IN      RRSIG   NSEC 8 3 7200
> 20220121191006 20220108001053 30015 se. [...]
>
> Which provides a non-existence proof for everything between
> _nicname._tcp.se and acem.a.se, but nothing for *.se (which according to
> the order of canonical domain names, is before _nicname._tcp.se -- even
> before 0.se that seems to be the first registered domain name).
>
> The NSEC record missing from the reply above is the following NSEC and
> RRSIG ($ dig +dnssec ns \!.se).
>
> se.                     4353    IN      NSEC    0.se. NS SOA TXT RRSIG
> NSEC DNSKEY
> se.                     4353    IN      RRSIG   NSEC 8 1 7200
> 20220121132017 20220108061050 30015 se.
> jzWI5l5Sxyb2sOLzCWNX06nwmCtZuFdS3PvmivnyOPVZ3cw+blBXNYwN
> cFCYFdMC7R31W0ABBuT587mAm7Ae5NJX2GnXGcNgaVcD9VhKWAjJHpqf
> +NJcLOF9771m/BKPC7dKTwt/zVdKJSwFjaYTr0streS9OMCnJXbiWaQc
> CMDmzko2WiWdBNDAbZ8H/OfKymYjgJz1hZynMdl5LyWcGgxlOksuLKSv
> 4xg4Ey07r4ZCy5XTQwfHG74qWa+61BVjfP3KEEEB42B0rZX8lT15B9MS
> Cg9RmBObNC5FYjXGkbeik6iXrdOGzUUURHay+th9SJ4BGIFIV8fyyDTd oxOc5w==
>
>
> Thank you for reading,
>
> Hannes Mehnert
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220111/dee36a7c/attachment.html>


More information about the dns-operations mailing list