> On Apr 8, 2016, at 11:08 AM, Ray Bellis <r...@bellis.me.uk> wrote: > > > > On 08/04/2016 11:39, Edward Lewis wrote: >> I can't find a draft to cite for this talk, so this refers to the slides >> presented. >> >> "DNSSEC Protocol Modifications" >> (http://www.rfc-editor.org/rfc/rfc4035.txt) has an explicit prohibition on >> names owning only NSEC and RRSIG. >> >> Yeah. >> >> I'm not holding this up as a royal edict. But it's there in plain text. >>
>> Fortunately there's a rationale why the requirement language is there, so >> there's a starting point to "work on this.” Ed, So the draft document needs to update RFC4035 thanks for pointing that out At one point we contemplated adding a bit to the NSEC signaling this was a forged NSEC record, just to get around the text in RFC4035 :-) > > If you treat Cloudflare's implementation as a virtual wildcard record > where every owner name implicitly exists, then IMHO the rationale in RFC > 4035 (below) doesn't apply: > > "That is, the signing process MUST NOT create NSEC or RRSIG RRs for > owner name nodes that were not the owner name of any RRset before the > zone was signed. The main reasons for this are a desire for namespace > consistency between signed and unsigned versions of the same zone > and a desire to reduce the risk of response inconsistency in security > oblivious recursive name servers." > > That said, Cloudflare's implementation appears to assert that the > wildcard doesn't exist either - I've asked Olafur to check out the > implications of that. Ray Yes, we check for wild card match before generating the NSEC. Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
