Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

Mon, 26 Oct 2015 09:50:51 -0700 

On Sun, Oct 25, 2015 at 11:39:25PM -0700, Paul Vixie wrote:

> sanity check, someone?

Yes, you're quite sane. :-)

> I believe that in dnssec, an empty non-terminal has a proof that the name 
> exists, and a proof that there are no RR's. thus, vastly different from the 
> signaling for NXDOMAIN.

Definitely.  

In my surveys of DANE adoption for SMTP, I'm exercising the
"authenticated denial of existence" support of a fairly large number
of nameservers (my scans cover ~5 million domains).

My validating recursor is unbound, and it rejects NXDOMAIN replies
in which the NSEC/NSEC3 records demonstrate that the qname is an
empty non-terminal.  Conversely it rejects NODATA replies where
the NSEC/NSEC3 records prove the non-existence of the qname.

When I've reported either issue to the responsible operators,
excepting cases where the guilty party has simply buried their head
in the sand and not responded, upgrades of the DNS software to a
more recent supported version (of say PowerDNS) have resolved the
problem.

> this ought to end, for all time, the debate about whether empty nonterminals 
> exist or not. (there are some authority servers who return NXDOMAIN for them, 
> and we need to know whether those servers are wrong, before we advance query 
> minimization.)

The servers that return NXDOMAIN for empty non-terminals are wrong.

Example:

    @nszero1.axc.nl.
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13022
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
    ;_25._tcp.mail.maartenburie.nl. IN TLSA
    maartenburie.nl.        SOA     nszero1.axc.nl. hostmaster.maartenburie.nl. 
2015013000 14400 3600 1209600 86400
    maartenburie.nl.        RRSIG   SOA 8 2 14400 20151105000000 20151015000000 
56271 maartenburie.nl. ...
    maartenburie.nl.        NSEC    maartenburie.nl. A NS SOA MX TXT RRSIG NSEC 
DNSKEY
    maartenburie.nl.        RRSIG   NSEC 8 2 86400 20151105000000 
20151015000000 56271 maartenburie.nl. ...

    $ unbound-host -t tlsa -v _25._tcp.mail.maartenburie.nl
    _25._tcp.mail.maartenburie.nl has no TLSA record (BOGUS (security failure))
    validation failure <_25._tcp.mail.maartenburie.nl. TLSA IN>: nodata proof 
failed from 159.253.2.101

The "proof" above is valid for NXDOMAIN, but not NODATA.  In this
case the problem is a bit more subtle, in addition to the zone
apex, this domain has a wildcard A record, but seems to leave it
out of the NSEC chain.  So NODATA is actually correct, but the NSEC
records are wrong.

-- 
        Viktor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to