<div dir="ltr"><div>Hannes,</div><div><br></div><div>This is a NODATA response for an empty non-terminal, so no wildcard non-existence</div><div>proof is needed.</div><div><br></div><div>The following NSEC record demonstrates that "<a href="http://a.se">a.se</a>" is an empty non-terminal:</div><div><br></div><div>
_nicname._<a href="http://tcp.se" rel="noreferrer" target="_blank">tcp.se</a>. 6694 IN NSEC <a href="http://acem.a.se" rel="noreferrer" target="_blank">acem.a.se</a>. SRV RRSIG NSEC</div><div><br></div><div>Shumon.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 11, 2022 at 10:58 AM Hannes Mehnert <<a href="mailto:hannes@mehnert.org">hannes@mehnert.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi DNS operators,<br>
<br>
since this is my first mail here, I first would like to thank you all <br>
for the constructive discussions and technical expertise. I'm developing <br>
a DNS suite in OCaml, a statically typed functional programming language <br>
[see <a href="https://github.com/mirage/ocaml-dns" rel="noreferrer" target="_blank">https://github.com/mirage/ocaml-dns</a> // <a href="https://mirageos.org" rel="noreferrer" target="_blank">https://mirageos.org</a> if <br>
interested], and have learned a lot from lurking on this list. My <br>
current work item is a recursive resolver.<br>
<br>
When I just implemented the denial of existence for DNSSec (with NSEC), <br>
I stumbled upon the TLD .se that uses NSEC. I mailed earlier to <br>
registry-default at nic dot se (the hostmaster in the SOA of .se), but <br>
didn't get a reply.<br>
<br>
Of course, I may be wrong with my analysis, if this is the case please <br>
help me to understand how this should work.<br>
<br>
I'm wondering how other validators (public resolvers) deal with the <br>
following issue, which is a missing denial of existence for *.se: So, a <br>
request for resource record type A, domain name <a href="http://a.se" rel="noreferrer" target="_blank">a.se</a> results in the <br>
following:<br>
<br>
$ dig +dnssec <a href="http://a.se" rel="noreferrer" target="_blank">a.se</a><br>
<br>
se. 5363 IN SOA <a href="http://catcher-in-the-rye.nic.se" rel="noreferrer" target="_blank">catcher-in-the-rye.nic.se</a>. <br>
<a href="http://registry-default.nic.se" rel="noreferrer" target="_blank">registry-default.nic.se</a>. 2022010921 1800 1800 864000 7200<br>
se. 5363 IN RRSIG SOA 8 1 172800 <br>
20220122054639 20220109191050 30015 se. [...]<br>
_nicname._<a href="http://tcp.se" rel="noreferrer" target="_blank">tcp.se</a>. 6694 IN NSEC <a href="http://acem.a.se" rel="noreferrer" target="_blank">acem.a.se</a>. SRV RRSIG NSEC<br>
_nicname._<a href="http://tcp.se" rel="noreferrer" target="_blank">tcp.se</a>. 6694 IN RRSIG NSEC 8 3 7200 <br>
20220121191006 20220108001053 30015 se. [...]<br>
<br>
Which provides a non-existence proof for everything between <br>
_nicname._<a href="http://tcp.se" rel="noreferrer" target="_blank">tcp.se</a> and <a href="http://acem.a.se" rel="noreferrer" target="_blank">acem.a.se</a>, but nothing for *.se (which according to <br>
the order of canonical domain names, is before _nicname._<a href="http://tcp.se" rel="noreferrer" target="_blank">tcp.se</a> -- even <br>
before <a href="http://0.se" rel="noreferrer" target="_blank">0.se</a> that seems to be the first registered domain name).<br>
<br>
The NSEC record missing from the reply above is the following NSEC and <br>
RRSIG ($ dig +dnssec ns \!.se).<br>
<br>
se. 4353 IN NSEC <a href="http://0.se" rel="noreferrer" target="_blank">0.se</a>. NS SOA TXT RRSIG <br>
NSEC DNSKEY<br>
se. 4353 IN RRSIG NSEC 8 1 7200 <br>
20220121132017 20220108061050 30015 se. <br>
jzWI5l5Sxyb2sOLzCWNX06nwmCtZuFdS3PvmivnyOPVZ3cw+blBXNYwN <br>
cFCYFdMC7R31W0ABBuT587mAm7Ae5NJX2GnXGcNgaVcD9VhKWAjJHpqf <br>
+NJcLOF9771m/BKPC7dKTwt/zVdKJSwFjaYTr0streS9OMCnJXbiWaQc <br>
CMDmzko2WiWdBNDAbZ8H/OfKymYjgJz1hZynMdl5LyWcGgxlOksuLKSv <br>
4xg4Ey07r4ZCy5XTQwfHG74qWa+61BVjfP3KEEEB42B0rZX8lT15B9MS <br>
Cg9RmBObNC5FYjXGkbeik6iXrdOGzUUURHay+th9SJ4BGIFIV8fyyDTd oxOc5w==<br>
<br>
<br>
Thank you for reading,<br>
<br>
Hannes Mehnert<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>