[dns-operations] DNSSec validation issue for .se (missing denial of existence for *.se)

Ulrich Wisser ulrich at wisser.se
Mon Jan 17 14:01:36 UTC 2022 

This is of course very interesting for us (at .se).
I tried this with all our dns servers and all give the same answer.
But I tend to agree that a proof for the non existence of the wildcard should be there.

I am thinking of a domain setup as:

*.example.com <http://example.com/>. TXT “wildcard”
0.example.com <http://0.example.com/>. TXT “zero”
test.a.example.com. TXT “test.a”

What answer should “dig +dnssec a.example.com <http://a.example.com/> txt” give?

I would say “wildcard”. And if that is the case, shouldn’t it then send an extra sec in case there is no wildcard record?

/Ulrich


> On 11 Jan 2022, at 21:34, Mark Andrews <marka at isc.org> wrote:
> 
> NSEC prove there are no names with records between the two names. Note the qualifier “with records”.   Clarifying this was one of the early corrections to the DNSSEC specification. 
> 
> -- 
> Mark Andrews
> 
>> On 12 Jan 2022, at 03:31, Shreyas Zare <shreyas at technitium.com> wrote:
>> 
>> 
>> Hi,
>> 
>> I was implementing DNSSEC just last month and came across this same issue and didn't find any specific documentation on it.
>> 
>> However, I came to the conclusion that since the NSEC record that was returned has the next domain name "acem.a.se <http://acem.a.se/>" which is a sub domain for the qname "a.se <http://a.se/>", its sufficient proof that the "a.se <http://a.se/>" name is NODATA and so no wildcard proof is required here.
>> 
>> Regards,
>> Shreyas Zare
>> Technitium
>> 
>> On Tue, Jan 11, 2022, 21:26 Hannes Mehnert <hannes at mehnert.org <mailto:hannes at mehnert.org>> wrote:
>> Hi DNS operators,
>> 
>> since this is my first mail here, I first would like to thank you all 
>> for the constructive discussions and technical expertise. I'm developing 
>> a DNS suite in OCaml, a statically typed functional programming language 
>> [see https://github.com/mirage/ocaml-dns <https://github.com/mirage/ocaml-dns> // https://mirageos.org <https://mirageos.org/> if 
>> interested], and have learned a lot from lurking on this list. My 
>> current work item is a recursive resolver.
>> 
>> When I just implemented the denial of existence for DNSSec (with NSEC), 
>> I stumbled upon the TLD .se that uses NSEC. I mailed earlier to 
>> registry-default at nic dot se (the hostmaster in the SOA of .se), but 
>> didn't get a reply.
>> 
>> Of course, I may be wrong with my analysis, if this is the case please 
>> help me to understand how this should work.
>> 
>> I'm wondering how other validators (public resolvers) deal with the 
>> following issue, which is a missing denial of existence for *.se: So, a 
>> request for resource record type A, domain name a.se <http://a.se/> results in the 
>> following:
>> 
>> $ dig +dnssec a.se <http://a.se/>
>> 
>> se.                     5363    IN      SOA catcher-in-the-rye.nic.se <http://catcher-in-the-rye.nic.se/>. 
>> registry-default.nic.se <http://registry-default.nic.se/>. 2022010921 1800 1800 864000 7200
>> se.                     5363    IN      RRSIG   SOA 8 1 172800 
>> 20220122054639 20220109191050 30015 se.  [...]
>> _nicname._tcp.se <http://tcp.se/>.       6694    IN      NSEC    acem.a.se <http://acem.a.se/>. SRV RRSIG NSEC
>> _nicname._tcp.se <http://tcp.se/>.       6694    IN      RRSIG   NSEC 8 3 7200 
>> 20220121191006 20220108001053 30015 se. [...]
>> 
>> Which provides a non-existence proof for everything between 
>> _nicname._tcp.se <http://tcp.se/> and acem.a.se <http://acem.a.se/>, but nothing for *.se (which according to 
>> the order of canonical domain names, is before _nicname._tcp.se <http://tcp.se/> -- even 
>> before 0.se <http://0.se/> that seems to be the first registered domain name).
>> 
>> The NSEC record missing from the reply above is the following NSEC and 
>> RRSIG ($ dig +dnssec ns \!.se).
>> 
>> se.                     4353    IN      NSEC    0.se <http://0.se/>. NS SOA TXT RRSIG 
>> NSEC DNSKEY
>> se.                     4353    IN      RRSIG   NSEC 8 1 7200 
>> 20220121132017 20220108061050 30015 se. 
>> jzWI5l5Sxyb2sOLzCWNX06nwmCtZuFdS3PvmivnyOPVZ3cw+blBXNYwN 
>> cFCYFdMC7R31W0ABBuT587mAm7Ae5NJX2GnXGcNgaVcD9VhKWAjJHpqf 
>> +NJcLOF9771m/BKPC7dKTwt/zVdKJSwFjaYTr0streS9OMCnJXbiWaQc 
>> CMDmzko2WiWdBNDAbZ8H/OfKymYjgJz1hZynMdl5LyWcGgxlOksuLKSv 
>> 4xg4Ey07r4ZCy5XTQwfHG74qWa+61BVjfP3KEEEB42B0rZX8lT15B9MS 
>> Cg9RmBObNC5FYjXGkbeik6iXrdOGzUUURHay+th9SJ4BGIFIV8fyyDTd oxOc5w==
>> 
>> 
>> Thank you for reading,
>> 
>> Hannes Mehnert
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations <https://lists.dns-oarc.net/mailman/listinfo/dns-operations>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220117/efafd2f6/attachment.html>

More information about the dns-operations mailing list