On 08/04/2016 11:39, Edward Lewis wrote: > I can't find a draft to cite for this talk, so this refers to the slides > presented. > > "DNSSEC Protocol Modifications" > (http://www.rfc-editor.org/rfc/rfc4035.txt) has an explicit prohibition on > names owning only NSEC and RRSIG. > > Yeah. > > I'm not holding this up as a royal edict. But it's there in plain text. > > Fortunately there's a rationale why the requirement language is there, so > there's a starting point to "work on this."
If you treat Cloudflare's implementation as a virtual wildcard record where every owner name implicitly exists, then IMHO the rationale in RFC 4035 (below) doesn't apply: "That is, the signing process MUST NOT create NSEC or RRSIG RRs for owner name nodes that were not the owner name of any RRset before the zone was signed. The main reasons for this are a desire for namespace consistency between signed and unsigned versions of the same zone and a desire to reduce the risk of response inconsistency in security oblivious recursive name servers." That said, Cloudflare's implementation appears to assert that the wildcard doesn't exist either - I've asked Olafur to check out the implications of that. Ray _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
