This is an interesting behaviour from google. It’s not wrong… I struggled with this when doing the negative proof stuff in the OpenDNS code.
The issue is around providing the closest encloser when that closest enclosure is the zone apex. Is it necessary? A validator can reliably imply the closest encloser if it “falls off the top” when looking for it. So if this zone was NSEC3 signed and only presented the *.runbox.com, the validator should be able to suspect that the *.runbox.com NSEC3’s parent is at the zone apex, then prove it. In this case however, the presentation of *.runbox.com as an RR also implies that runbox.com has an NSEC. As that NSEC is not otherwise required, that’s enough. One record supplies the closest encloser and the proof that an applicable wildcard exists that doesn’t include the TLSA type. — Brian > On Sep 16, 2020, at 1:31 PM, Viktor Dukhovni <[email protected]> wrote: > > On Wed, Sep 16, 2020 at 11:50:31AM -0700, Marek Vavruša wrote: >> Hi Viktor, I forgot to update this thread, but this should be fixed. > > Thanks! Looks much better now. Now it is Google's turn. I still see > an incomplete NSEC3 RRset from 8.8.8.8: > > $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com > _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1 > runbox.com. IN SOA dns61.copyleft.no. [email protected]. 3000008499 > 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 > runbox.com. <sig> > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 > runbox.com. <sig> > > but the NSEC establishing the zone apex as the closest encloser (now > present in the CF responses): > > $ hsdig -n1.0.0.1 -D -t tlsa _25._tcp.mx.runbox.com > _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1 > runbox.com. IN SOA dns61.copyleft.no. [email protected]. 3000008499 > 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 > runbox.com. <sig> > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200930104345 20200916091345 > 18202 runbox.com. <sig> > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 > runbox.com. <sig> > > is missing from the GOOG responses. > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
