<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 22, 2021, 12:35 AM Matt Nordhoff <<a href="mailto:mnordhoff@gmail.com">mnordhoff@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Jun 22, 2021 at 3:54 AM Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org" target="_blank" rel="noreferrer">ietf-dane@dukhovni.org</a>> wrote:<br>
> On Tue, Jun 22, 2021 at 03:30:39AM +0000, Matt Nordhoff wrote:<br>
><br>
> > > Indeed I see the same:<br>
> > ><br>
> > > $ dig +noall +dnssec +norecur +nocrypto +ans +auth +add -t NS <a href="http://corp.ibexglobal.com" rel="noreferrer noreferrer" target="_blank">corp.ibexglobal.com</a> @<a href="http://ns-725.awsdns-26.net" rel="noreferrer noreferrer" target="_blank">ns-725.awsdns-26.net</a>.<br>
> > > <a href="http://corp.ibexglobal.com" rel="noreferrer noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-1415.awsdns-48.org" rel="noreferrer noreferrer" target="_blank">ns-1415.awsdns-48.org</a>.<br>
> > > <a href="http://corp.ibexglobal.com" rel="noreferrer noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-1804.awsdns-33.co.uk" rel="noreferrer noreferrer" target="_blank">ns-1804.awsdns-33.co.uk</a>.<br>
> > > <a href="http://corp.ibexglobal.com" rel="noreferrer noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-29.awsdns-03.com" rel="noreferrer noreferrer" target="_blank">ns-29.awsdns-03.com</a>.<br>
> > > <a href="http://corp.ibexglobal.com" rel="noreferrer noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-945.awsdns-54.net" rel="noreferrer noreferrer" target="_blank">ns-945.awsdns-54.net</a>.<br>
> > > <a href="http://corp.ibexglobal.com" rel="noreferrer noreferrer" target="_blank">corp.ibexglobal.com</a>. 86400 IN NSEC \<a href="http://000.corp.ibexglobal.com" rel="noreferrer noreferrer" target="_blank">000.corp.ibexglobal.com</a>. RRSIG NSEC<br>
> > > <a href="http://corp.ibexglobal.com" rel="noreferrer noreferrer" target="_blank">corp.ibexglobal.com</a>. 86400 IN RRSIG NSEC 13 3 86400 20210623012420 20210621232420 36517 <a href="http://ibexglobal.com" rel="noreferrer noreferrer" target="_blank">ibexglobal.com</a>. [omitted]<br>
> > ><br>
> > > This violates <<a href="https://datatracker.ietf.org/doc/html/rfc4035#section-2.3" rel="noreferrer noreferrer" target="_blank">https://datatracker.ietf.org/doc/html/rfc4035#section-2.3</a>>:<br>
> ><br>
> > I haven't spent the time to understand precisely what this thread is<br>
> > talking about, but that's how NSEC white/black lies work. NS1 does the<br>
> > same thing (give or take possible bugs) as AWS.<br>
><br>
> No, there's a subtle difference, this qname actually exists, and has an<br>
> NS RRSet. The NSEC bitmap needs to reflect this.<br>
<br>
Ah, now I understand the issue, thank you.<br>
<br>
I'm sorry if my previous email seemed glib. I didn't get enough sleep<br>
to easily understand NSEC problems, but thought it was probably better<br>
to reply now than to wait.<br>
<br>
My email might still matter, but it's not relevant to this thread.<br>
<br>
[FWIW, Cloudflare handles insecure referrals correctly, AFAIK. I have<br>
no idea about NS1, but there's no reason to suspect anything.]<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">I did not see this issue with cloudflare.</div><div dir="auto"><br></div><div dir="auto">For some reason my post forked into two threads. Gavin from AWS replied on the other thread.</div><div dir="auto"><br></div><div dir="auto">Puneet</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-- <br>
Matt Nordhoff<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank" rel="noreferrer">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div></div>