[dns-operations] Cloudflare TYPE65283

Emmanuel Fusté manu.fuste at gmail.com
Mon Mar 27 16:30:02 UTC 2023


Le 27/03/2023 à 17:09, Viktor Dukhovni a écrit :
> On Mon, Mar 27, 2023 at 04:28:30PM +0200, Emmanuel Fusté wrote:
>
>>> definitely does not exist.  The issue I take it that the
>>> sentinel-free:
>>>
>>>       nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC
>>>
>>> which is an ENT per:
>>>
>>>       https://datatracker.ietf.org/doc/html/draft-huque-dnsop-compact-lies-01#section-3.2
>>>
>>> may for some time be ambiguous while still used for NXDOMAIN by earlier
>>> implementations.  For that, sure, we should encourage those
>>> implementations to adopt whatever becomes the published protocol at
>>> their earliest convenience (realistically a year or two based on prior
>>> experience nagging operators to resolve compliance issues).
>> Thank you Viktor.
>> That confirm my understanding and my analysis in my answers to Petr.
> Do you have a list of operators that currently return just "RRSIG NSEC"
> for ENTs?  Do you what software they are running?
I double check: route53/AWS currently return just "RRSIG NSEC"for ENTs.

Even worse, it seems that they infer answers to non edns or cleared DO 
bit questions from a internal DNSSEC response even for non DNSSEC 
enabled zone:
- they currently return NXDOMAIN for ENT on apparently non DNSSEC signed 
zones.
- they currently return NXDOMAIN for ENT on DNSSEC signed zones for 
requests in plain DNS or with DO bit cleared.

>
> On the fly signing with compact denial of existence is a bleeding-edge
> behaviour, and one might expect that the software in question is not
> ossified and operators might be proactive.  So with a bit of luck any
> ambiguity might be resolved before long.
>
> The only other option is to introduce yet another sentinel that signals
> that the node in question is an ENT, so that the bare "RRSIG NSEC"
> combination is ultimately never used.
Yes it was my conclusion too.




More information about the dns-operations mailing list