The no qname proof is the closest enclosure proof with NSEC. A seperate proof may be needed with NSEC3.
-- Mark Andrews > On 21 Sep 2020, at 04:53, Brian Somers <[email protected]> wrote: > > This is an interesting behaviour from google. It’s not wrong… > I struggled with this when doing the negative proof stuff in the > OpenDNS code. > > The issue is around providing the closest encloser when that > closest enclosure is the zone apex. Is it necessary? A validator > can reliably imply the closest encloser if it “falls off the top” when > looking for it. So if this zone was NSEC3 signed and only presented > the *.runbox.com, the validator should be able to suspect that the > *.runbox.com NSEC3’s parent is at the zone apex, then prove it. > > In this case however, the presentation of *.runbox.com as an RR > also implies that runbox.com has an NSEC. As that NSEC is not > otherwise required, that’s enough. One record supplies the > closest encloser and the proof that an applicable wildcard exists > that doesn’t include the TLSA type. > > — > Brian > >> On Sep 16, 2020, at 1:31 PM, Viktor Dukhovni <[email protected]> wrote: >> >>> On Wed, Sep 16, 2020 at 11:50:31AM -0700, Marek Vavruša wrote: >>> Hi Viktor, I forgot to update this thread, but this should be fixed. >> >> Thanks! Looks much better now. Now it is Google's turn. I still see >> an incomplete NSEC3 RRset from 8.8.8.8: >> >> $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com >> _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1 >> runbox.com. IN SOA dns61.copyleft.no. [email protected]. 3000008499 >> 14400 3600 1296000 3600 >> runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 >> runbox.com. <sig> >> *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC >> *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 >> runbox.com. <sig> >> >> but the NSEC establishing the zone apex as the closest encloser (now >> present in the CF responses): >> >> $ hsdig -n1.0.0.1 -D -t tlsa _25._tcp.mx.runbox.com >> _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1 >> runbox.com. IN SOA dns61.copyleft.no. [email protected]. 3000008499 >> 14400 3600 1296000 3600 >> runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 >> runbox.com. <sig> >> munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC >> munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200930104345 20200916091345 >> 18202 runbox.com. <sig> >> *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC >> *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 >> runbox.com. <sig> >> >> is missing from the GOOG responses. >> >> -- >> Viktor. >> _______________________________________________ >> dns-operations mailing list >> [email protected] >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
