<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">NSEC prove there are no names with records between the two names. Note the qualifier “with records”. Clarifying this was one of the early corrections to the DNSSEC specification. <br><br><div dir="ltr">-- <div>Mark Andrews</div></div><div dir="ltr"><br><blockquote type="cite">On 12 Jan 2022, at 03:31, Shreyas Zare <shreyas@technitium.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="auto"><div>Hi,<div dir="auto"><br></div><div dir="auto">I was implementing DNSSEC just last month and came across this same issue and didn't find any specific documentation on it.</div><div dir="auto"><br></div><div dir="auto">However, I came to the conclusion that since the NSEC record that was returned has the next domain name "<a href="http://acem.a.se">acem.a.se</a>" which is a sub domain for the qname "<a href="http://a.se">a.se</a>", its sufficient proof that the "<a href="http://a.se">a.se</a>" name is NODATA and so no wildcard proof is required here.</div><div dir="auto"><br></div><div dir="auto">Regards,<br><div data-smartmail="gmail_signature" dir="auto">Shreyas Zare<br>Technitium</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 11, 2022, 21:26 Hannes Mehnert <<a href="mailto:hannes@mehnert.org">hannes@mehnert.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi DNS operators,<br>
<br>
since this is my first mail here, I first would like to thank you all <br>
for the constructive discussions and technical expertise. I'm developing <br>
a DNS suite in OCaml, a statically typed functional programming language <br>
[see <a href="https://github.com/mirage/ocaml-dns" rel="noreferrer noreferrer" target="_blank">https://github.com/mirage/ocaml-dns</a> // <a href="https://mirageos.org" rel="noreferrer noreferrer" target="_blank">https://mirageos.org</a> if <br>
interested], and have learned a lot from lurking on this list. My <br>
current work item is a recursive resolver.<br>
<br>
When I just implemented the denial of existence for DNSSec (with NSEC), <br>
I stumbled upon the TLD .se that uses NSEC. I mailed earlier to <br>
registry-default at nic dot se (the hostmaster in the SOA of .se), but <br>
didn't get a reply.<br>
<br>
Of course, I may be wrong with my analysis, if this is the case please <br>
help me to understand how this should work.<br>
<br>
I'm wondering how other validators (public resolvers) deal with the <br>
following issue, which is a missing denial of existence for *.se: So, a <br>
request for resource record type A, domain name <a href="http://a.se" rel="noreferrer noreferrer" target="_blank">a.se</a> results in the <br>
following:<br>
<br>
$ dig +dnssec <a href="http://a.se" rel="noreferrer noreferrer" target="_blank">a.se</a><br>
<br>
se. 5363 IN SOA <a href="http://catcher-in-the-rye.nic.se" rel="noreferrer noreferrer" target="_blank">catcher-in-the-rye.nic.se</a>. <br>
<a href="http://registry-default.nic.se" rel="noreferrer noreferrer" target="_blank">registry-default.nic.se</a>. 2022010921 1800 1800 864000 7200<br>
se. 5363 IN RRSIG SOA 8 1 172800 <br>
20220122054639 20220109191050 30015 se. [...]<br>
_nicname._<a href="http://tcp.se" rel="noreferrer noreferrer" target="_blank">tcp.se</a>. 6694 IN NSEC <a href="http://acem.a.se" rel="noreferrer noreferrer" target="_blank">acem.a.se</a>. SRV RRSIG NSEC<br>
_nicname._<a href="http://tcp.se" rel="noreferrer noreferrer" target="_blank">tcp.se</a>. 6694 IN RRSIG NSEC 8 3 7200 <br>
20220121191006 20220108001053 30015 se. [...]<br>
<br>
Which provides a non-existence proof for everything between <br>
_nicname._<a href="http://tcp.se" rel="noreferrer noreferrer" target="_blank">tcp.se</a> and <a href="http://acem.a.se" rel="noreferrer noreferrer" target="_blank">acem.a.se</a>, but nothing for *.se (which according to <br>
the order of canonical domain names, is before _nicname._<a href="http://tcp.se" rel="noreferrer noreferrer" target="_blank">tcp.se</a> -- even <br>
before <a href="http://0.se" rel="noreferrer noreferrer" target="_blank">0.se</a> that seems to be the first registered domain name).<br>
<br>
The NSEC record missing from the reply above is the following NSEC and <br>
RRSIG ($ dig +dnssec ns \!.se).<br>
<br>
se. 4353 IN NSEC <a href="http://0.se" rel="noreferrer noreferrer" target="_blank">0.se</a>. NS SOA TXT RRSIG <br>
NSEC DNSKEY<br>
se. 4353 IN RRSIG NSEC 8 1 7200 <br>
20220121132017 20220108061050 30015 se. <br>
jzWI5l5Sxyb2sOLzCWNX06nwmCtZuFdS3PvmivnyOPVZ3cw+blBXNYwN <br>
cFCYFdMC7R31W0ABBuT587mAm7Ae5NJX2GnXGcNgaVcD9VhKWAjJHpqf <br>
+NJcLOF9771m/BKPC7dKTwt/zVdKJSwFjaYTr0streS9OMCnJXbiWaQc <br>
CMDmzko2WiWdBNDAbZ8H/OfKymYjgJz1hZynMdl5LyWcGgxlOksuLKSv <br>
4xg4Ey07r4ZCy5XTQwfHG74qWa+61BVjfP3KEEEB42B0rZX8lT15B9MS <br>
Cg9RmBObNC5FYjXGkbeik6iXrdOGzUUURHay+th9SJ4BGIFIV8fyyDTd oxOc5w==<br>
<br>
<br>
Thank you for reading,<br>
<br>
Hannes Mehnert<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank" rel="noreferrer">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div></div>
<span>_______________________________________________</span><br><span>dns-operations mailing list</span><br><span>dns-operations@lists.dns-oarc.net</span><br><span>https://lists.dns-oarc.net/mailman/listinfo/dns-operations</span><br></div></blockquote></body></html>