[dns-operations] Cloudflare TYPE65283
Emmanuel Fusté
manu.fuste at gmail.com
Mon Mar 27 16:30:02 UTC 2023
Le 27/03/2023 à 17:09, Viktor Dukhovni a écrit :
> On Mon, Mar 27, 2023 at 04:28:30PM +0200, Emmanuel Fusté wrote:
>
>>> definitely does not exist. The issue I take it that the
>>> sentinel-free:
>>>
>>> nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC
>>>
>>> which is an ENT per:
>>>
>>> https://datatracker.ietf.org/doc/html/draft-huque-dnsop-compact-lies-01#section-3.2
>>>
>>> may for some time be ambiguous while still used for NXDOMAIN by earlier
>>> implementations. For that, sure, we should encourage those
>>> implementations to adopt whatever becomes the published protocol at
>>> their earliest convenience (realistically a year or two based on prior
>>> experience nagging operators to resolve compliance issues).
>> Thank you Viktor.
>> That confirm my understanding and my analysis in my answers to Petr.
> Do you have a list of operators that currently return just "RRSIG NSEC"
> for ENTs? Do you what software they are running?
I double check: route53/AWS currently return just "RRSIG NSEC"for ENTs.
Even worse, it seems that they infer answers to non edns or cleared DO
bit questions from a internal DNSSEC response even for non DNSSEC
enabled zone:
- they currently return NXDOMAIN for ENT on apparently non DNSSEC signed
zones.
- they currently return NXDOMAIN for ENT on DNSSEC signed zones for
requests in plain DNS or with DO bit cleared.
>
> On the fly signing with compact denial of existence is a bleeding-edge
> behaviour, and one might expect that the software in question is not
> ossified and operators might be proactive. So with a bit of luck any
> ambiguity might be resolved before long.
>
> The only other option is to introduce yet another sentinel that signals
> that the node in question is an ENT, so that the bare "RRSIG NSEC"
> combination is ultimately never used.
Yes it was my conclusion too.
More information about the dns-operations
mailing list