[dns-operations] DNSSec validation issue for .se (missing denial of existence for *.se)
Mark Andrews
marka at isc.org
Mon Jan 17 21:49:31 UTC 2022
For a NXDOMAIN response you need to prove that the QNAME does not exist and there is no matching wildcard. This will take 1 or 2 NSEC records or 1, 2, or 3 NSEC3 records.
For a NODATA response you need to prove the QNAME exists and there are no records of the desired type. This takes 1 NSEC record or 1 NSEC3 record. In a NSEC3 signed there there is an NSEC3 record with an empty type map for every empty non terminal node (ENT) in a correctly signed zone. In a NSEC signed zone the ENT proofs, if any, are found by looking at the relationships between two names in the covering NSEC record.
left.name.common NSEC right.ent.ent.ent.ent.ent.common
Mark
> On 18 Jan 2022, at 02:20, Mats Dufberg via dns-operations <dns-operations at dns-oarc.net> wrote:
>
>
> From: Mats Dufberg <mats.dufberg at internetstiftelsen.se>
> Subject: Re: [dns-operations] DNSSec validation issue for .se (missing denial of existence for *.se)
> Date: 18 January 2022 at 02:20:50 AEDT
> To: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
>
>
> The name servers for .se seem to return two NSEC record, one of which covers the wildcard (*), if the response is an NXDOMAIN response, but not if it is a NODATA response for an empty non-terminal label.
>
> dig +dnssec 000000000.se +mult @x.ns.se
>
> (...)
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46328
> (...)
> 000000.se. 7200 IN NSEC 00046.se. NS RRSIG NSEC
> se. 7200 IN NSEC 0.se. NS SOA TXT RRSIG NSEC DNSKEY
> (...)
>
> dig +dnssec a.se +mult @x.ns.se
>
> (...)
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 103
> (...)
> _nicname._tcp.se. 7200 IN NSEC acem.a.se. SRV RRSIG NSEC
> (...)
>
>
> Is this really correct?
>
>
>
> Mats
>
> --
> ---
> Mats Dufberg
> mats.dufberg at internetstiftelsen.se
> Technical Expert
> Internetstiftelsen (The Swedish Internet Foundation)
> Mobile: +46 73 065 3899
> https://internetstiftelsen.se/
>
>
> From: Ulrich Wisser <ulrich at wisser.se>
> Date: Monday, 17 January 2022 at 15:01
> To: Mark Andrews <marka at isc.org>
> Cc: Shreyas Zare <shreyas at technitium.com>, Greg Choules via dns-operations <dns-operations at dns-oarc.net>
> Subject: Re: [dns-operations] DNSSec validation issue for .se (missing denial of existence for *.se)
>
> This is of course very interesting for us (at .se).
> I tried this with all our dns servers and all give the same answer.
> But I tend to agree that a proof for the non existence of the wildcard should be there.
>
> I am thinking of a domain setup as:
>
> *.example.com. TXT “wildcard”
> 0.example.com. TXT “zero”
> test.a.example.com. TXT “test.a”
>
> What answer should “dig +dnssec a.example.com txt” give?
>
> I would say “wildcard”. And if that is the case, shouldn’t it then send an extra sec in case there is no wildcard record?
>
> /Ulrich
>
>
>
> On 11 Jan 2022, at 21:34, Mark Andrews <marka at isc.org> wrote:
>
> NSEC prove there are no names with records between the two names. Note the qualifier “with records”. Clarifying this was one of the early corrections to the DNSSEC specification.
>
> --
> Mark Andrews
>
>
> On 12 Jan 2022, at 03:31, Shreyas Zare <shreyas at technitium.com> wrote:
>
>
> Hi,
>
> I was implementing DNSSEC just last month and came across this same issue and didn't find any specific documentation on it.
>
> However, I came to the conclusion that since the NSEC record that was returned has the next domain name "acem.a.se" which is a sub domain for the qname "a.se", its sufficient proof that the "a.se" name is NODATA and so no wildcard proof is required here.
>
> Regards,
> Shreyas Zare
> Technitium
>
> On Tue, Jan 11, 2022, 21:26 Hannes Mehnert <hannes at mehnert.org> wrote:
> Hi DNS operators,
>
> since this is my first mail here, I first would like to thank you all
> for the constructive discussions and technical expertise. I'm developing
> a DNS suite in OCaml, a statically typed functional programming language
> [see https://github.com/mirage/ocaml-dns // https://mirageos.org if
> interested], and have learned a lot from lurking on this list. My
> current work item is a recursive resolver.
>
> When I just implemented the denial of existence for DNSSec (with NSEC),
> I stumbled upon the TLD .se that uses NSEC. I mailed earlier to
> registry-default at nic dot se (the hostmaster in the SOA of .se), but
> didn't get a reply.
>
> Of course, I may be wrong with my analysis, if this is the case please
> help me to understand how this should work.
>
> I'm wondering how other validators (public resolvers) deal with the
> following issue, which is a missing denial of existence for *.se: So, a
> request for resource record type A, domain name a.se results in the
> following:
>
> $ dig +dnssec a.se
>
> se. 5363 IN SOA catcher-in-the-rye.nic.se.
> registry-default.nic.se. 2022010921 1800 1800 864000 7200
> se. 5363 IN RRSIG SOA 8 1 172800
> 20220122054639 20220109191050 30015 se. [...]
> _nicname._tcp.se. 6694 IN NSEC acem.a.se. SRV RRSIG NSEC
> _nicname._tcp.se. 6694 IN RRSIG NSEC 8 3 7200
> 20220121191006 20220108001053 30015 se. [...]
>
> Which provides a non-existence proof for everything between
> _nicname._tcp.se and acem.a.se, but nothing for *.se (which according to
> the order of canonical domain names, is before _nicname._tcp.se -- even
> before 0.se that seems to be the first registered domain name).
>
> The NSEC record missing from the reply above is the following NSEC and
> RRSIG ($ dig +dnssec ns \!.se).
>
> se. 4353 IN NSEC 0.se. NS SOA TXT RRSIG
> NSEC DNSKEY
> se. 4353 IN RRSIG NSEC 8 1 7200
> 20220121132017 20220108061050 30015 se.
> jzWI5l5Sxyb2sOLzCWNX06nwmCtZuFdS3PvmivnyOPVZ3cw+blBXNYwN
> cFCYFdMC7R31W0ABBuT587mAm7Ae5NJX2GnXGcNgaVcD9VhKWAjJHpqf
> +NJcLOF9771m/BKPC7dKTwt/zVdKJSwFjaYTr0streS9OMCnJXbiWaQc
> CMDmzko2WiWdBNDAbZ8H/OfKymYjgJz1hZynMdl5LyWcGgxlOksuLKSv
> 4xg4Ey07r4ZCy5XTQwfHG74qWa+61BVjfP3KEEEB42B0rZX8lT15B9MS
> Cg9RmBObNC5FYjXGkbeik6iXrdOGzUUURHay+th9SJ4BGIFIV8fyyDTd oxOc5w==
>
>
> Thank you for reading,
>
> Hannes Mehnert
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list