<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">This is of course very interesting for us (at .se).<div class="">I tried this with all our dns servers and all give the same answer.</div><div class="">But I tend to agree that a proof for the non existence of the wildcard should be there.</div><div class=""><br class=""></div><div class="">I am thinking of a domain setup as:</div><div class=""><br class=""></div><div class="">*.<a href="http://example.com" class="">example.com</a>. TXT “wildcard”</div><div class=""><a href="http://0.example.com" class="">0.example.com</a>. TXT “zero”</div><div class=""><a href="http://test.a.example.com" class="">test.a.example.com</a>. TXT “test.a”</div><div class=""><br class=""><div>What answer should “dig +dnssec <a href="http://a.example.com" class="">a.example.com</a> txt” give?</div><div><br class=""></div><div>I would say “wildcard”. And if that is the case, shouldn’t it then send an extra sec in case there is no wildcard record?</div><div><br class=""></div><div>/Ulrich</div><div><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class="">On 11 Jan 2022, at 21:34, Mark Andrews <<a href="mailto:marka@isc.org" class="">marka@isc.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="content-type" content="text/html; charset=utf-8" class=""><div dir="auto" class="">NSEC prove there are no names with records between the two names. Note the qualifier “with records”. Clarifying this was one of the early corrections to the DNSSEC specification. <br class=""><br class=""><div dir="ltr" class="">-- <div class="">Mark Andrews</div></div><div dir="ltr" class=""><br class=""><blockquote type="cite" class="">On 12 Jan 2022, at 03:31, Shreyas Zare <<a href="mailto:shreyas@technitium.com" class="">shreyas@technitium.com</a>> wrote:<br class=""><br class=""></blockquote></div><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="auto" class=""><div class="">Hi,<div dir="auto" class=""><br class=""></div><div dir="auto" class="">I was implementing DNSSEC just last month and came across this same issue and didn't find any specific documentation on it.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">However, I came to the conclusion that since the NSEC record that was returned has the next domain name "<a href="http://acem.a.se/" class="">acem.a.se</a>" which is a sub domain for the qname "<a href="http://a.se/" class="">a.se</a>", its sufficient proof that the "<a href="http://a.se/" class="">a.se</a>" name is NODATA and so no wildcard proof is required here.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Regards,<br class=""><div data-smartmail="gmail_signature" dir="auto" class="">Shreyas Zare<br class="">Technitium</div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 11, 2022, 21:26 Hannes Mehnert <<a href="mailto:hannes@mehnert.org" class="">hannes@mehnert.org</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi DNS operators,<br class="">
<br class="">
since this is my first mail here, I first would like to thank you all <br class="">
for the constructive discussions and technical expertise. I'm developing <br class="">
a DNS suite in OCaml, a statically typed functional programming language <br class="">
[see <a href="https://github.com/mirage/ocaml-dns" rel="noreferrer noreferrer" target="_blank" class="">https://github.com/mirage/ocaml-dns</a> // <a href="https://mirageos.org/" rel="noreferrer noreferrer" target="_blank" class="">https://mirageos.org</a> if <br class="">
interested], and have learned a lot from lurking on this list. My <br class="">
current work item is a recursive resolver.<br class="">
<br class="">
When I just implemented the denial of existence for DNSSec (with NSEC), <br class="">
I stumbled upon the TLD .se that uses NSEC. I mailed earlier to <br class="">
registry-default at nic dot se (the hostmaster in the SOA of .se), but <br class="">
didn't get a reply.<br class="">
<br class="">
Of course, I may be wrong with my analysis, if this is the case please <br class="">
help me to understand how this should work.<br class="">
<br class="">
I'm wondering how other validators (public resolvers) deal with the <br class="">
following issue, which is a missing denial of existence for *.se: So, a <br class="">
request for resource record type A, domain name <a href="http://a.se/" rel="noreferrer noreferrer" target="_blank" class="">a.se</a> results in the <br class="">
following:<br class="">
<br class="">
$ dig +dnssec <a href="http://a.se/" rel="noreferrer noreferrer" target="_blank" class="">a.se</a><br class="">
<br class="">
se. 5363 IN SOA <a href="http://catcher-in-the-rye.nic.se/" rel="noreferrer noreferrer" target="_blank" class="">catcher-in-the-rye.nic.se</a>. <br class="">
<a href="http://registry-default.nic.se/" rel="noreferrer noreferrer" target="_blank" class="">registry-default.nic.se</a>. 2022010921 1800 1800 864000 7200<br class="">
se. 5363 IN RRSIG SOA 8 1 172800 <br class="">
20220122054639 20220109191050 30015 se. [...]<br class="">
_nicname._<a href="http://tcp.se/" rel="noreferrer noreferrer" target="_blank" class="">tcp.se</a>. 6694 IN NSEC <a href="http://acem.a.se/" rel="noreferrer noreferrer" target="_blank" class="">acem.a.se</a>. SRV RRSIG NSEC<br class="">
_nicname._<a href="http://tcp.se/" rel="noreferrer noreferrer" target="_blank" class="">tcp.se</a>. 6694 IN RRSIG NSEC 8 3 7200 <br class="">
20220121191006 20220108001053 30015 se. [...]<br class="">
<br class="">
Which provides a non-existence proof for everything between <br class="">
_nicname._<a href="http://tcp.se/" rel="noreferrer noreferrer" target="_blank" class="">tcp.se</a> and <a href="http://acem.a.se/" rel="noreferrer noreferrer" target="_blank" class="">acem.a.se</a>, but nothing for *.se (which according to <br class="">
the order of canonical domain names, is before _nicname._<a href="http://tcp.se/" rel="noreferrer noreferrer" target="_blank" class="">tcp.se</a> -- even <br class="">
before <a href="http://0.se/" rel="noreferrer noreferrer" target="_blank" class="">0.se</a> that seems to be the first registered domain name).<br class="">
<br class="">
The NSEC record missing from the reply above is the following NSEC and <br class="">
RRSIG ($ dig +dnssec ns \!.se).<br class="">
<br class="">
se. 4353 IN NSEC <a href="http://0.se/" rel="noreferrer noreferrer" target="_blank" class="">0.se</a>. NS SOA TXT RRSIG <br class="">
NSEC DNSKEY<br class="">
se. 4353 IN RRSIG NSEC 8 1 7200 <br class="">
20220121132017 20220108061050 30015 se. <br class="">
jzWI5l5Sxyb2sOLzCWNX06nwmCtZuFdS3PvmivnyOPVZ3cw+blBXNYwN <br class="">
cFCYFdMC7R31W0ABBuT587mAm7Ae5NJX2GnXGcNgaVcD9VhKWAjJHpqf <br class="">
+NJcLOF9771m/BKPC7dKTwt/zVdKJSwFjaYTr0streS9OMCnJXbiWaQc <br class="">
CMDmzko2WiWdBNDAbZ8H/OfKymYjgJz1hZynMdl5LyWcGgxlOksuLKSv <br class="">
4xg4Ey07r4ZCy5XTQwfHG74qWa+61BVjfP3KEEEB42B0rZX8lT15B9MS <br class="">
Cg9RmBObNC5FYjXGkbeik6iXrdOGzUUURHay+th9SJ4BGIFIV8fyyDTd oxOc5w==<br class="">
<br class="">
<br class="">
Thank you for reading,<br class="">
<br class="">
Hannes Mehnert<br class="">
_______________________________________________<br class="">
dns-operations mailing list<br class="">
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank" rel="noreferrer" class="">dns-operations@lists.dns-oarc.net</a><br class="">
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer noreferrer" target="_blank" class="">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br class="">
</blockquote></div></div></div>
<span class="">_______________________________________________</span><br class=""><span class="">dns-operations mailing list</span><br class=""><span class=""><a href="mailto:dns-operations@lists.dns-oarc.net" class="">dns-operations@lists.dns-oarc.net</a></span><br class=""><span class=""><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" class="">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a></span><br class=""></div></blockquote></div>_______________________________________________<br class="">dns-operations mailing list<br class=""><a href="mailto:dns-operations@lists.dns-oarc.net" class="">dns-operations@lists.dns-oarc.net</a><br class="">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br class=""></div></blockquote></div><br class=""></div></body></html>