Le 27/03/2023 à 17:09, Viktor Dukhovni a écrit :
On Mon, Mar 27, 2023 at 04:28:30PM +0200, Emmanuel Fusté wrote:
definitely does not exist. The issue I take it that the
sentinel-free:
nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC
which is an ENT per:
https://datatracker.ietf.org/doc/html/draft-huque-dnsop-compact-lies-01#section-3.2
may for some time be ambiguous while still used for NXDOMAIN by earlier
implementations. For that, sure, we should encourage those
implementations to adopt whatever becomes the published protocol at
their earliest convenience (realistically a year or two based on prior
experience nagging operators to resolve compliance issues).
Thank you Viktor.
That confirm my understanding and my analysis in my answers to Petr.
Do you have a list of operators that currently return just "RRSIG NSEC"
for ENTs? Do you what software they are running?
I double check: route53/AWS currently return just "RRSIG NSEC"for ENTs.
Even worse, it seems that they infer answers to non edns or cleared DO
bit questions from a internal DNSSEC response even for non DNSSEC
enabled zone:
- they currently return NXDOMAIN for ENT on apparently non DNSSEC signed
zones.
- they currently return NXDOMAIN for ENT on DNSSEC signed zones for
requests in plain DNS or with DO bit cleared.
On the fly signing with compact denial of existence is a bleeding-edge
behaviour, and one might expect that the software in question is not
ossified and operators might be proactive. So with a bit of luck any
ambiguity might be resolved before long.
The only other option is to introduce yet another sentinel that signals
that the node in question is an ENT, so that the bare "RRSIG NSEC"
combination is ultimately never used.
Yes it was my conclusion too.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
