In message <ea312f37-2e4c-45e0-af0a-b0a0663b7...@dnss.ec>, Roy Arends writes: > Having read the draft > > How does one distinguish a Empty Non-Terminal NODATA response from an > NXDOMAIN response, solely by looking at the NSEC or NSEC3 records.
NSEC: Find the NSEC record that proves that there are no records at the given name (note all of the owner, the next domain name and the bit map need to be examined to do this). It either the owner name or the next domain name of that record are a subdomain of the given name then it is a ENT otherwise it is a NXDOMAIN. > There is an attack vector where an RCODE0 can be replaced by RCODE3 while > keeping the rest of the response completely intact, causing an aggressive > use enabled cache to deny existing records. > > These kind of subtleties arent described in the draft, as far as I can > tell. > > Roy > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
