Hello folks, On [RFC4035 3.1.3. Including NSEC RRs in a Response](https://datatracker.ietf.org/doc/html/rfc4035#section-3.1.3), it describes four different cases when NSEC records should be included in a response: 1. No Data 2. Name Error 3. Wildcard Answer 4. Wildcard No Data.
I am trying to find real world examples to help me better understand the cases above, I found some examples for case 1 and case 2: 1. No Data ``` dig www.ietf.org.cdn.cloudflare.net. MX +dnssec +cdflag +tcp ;; QUESTION SECTION: ;www.ietf.org.cdn.cloudflare.net. IN MX ;; AUTHORITY SECTION: www.ietf.org.cdn.cloudflare.net. 757 IN RRSIG NSEC 13 6 3600 20211023001635 20211020221635 34505 cloudflare.net. CivIamjPTC4Q9u8Qo6UpBh7x3f94ZMEZ7oxAU0ZEkzcnhMaJ8jEOQv+N e3md2JQEKTD01OKa0EGwdRTMb453ww== www.ietf.org.cdn.cloudflare.net. 757 IN NSEC \000.www.ietf.org.cdn.cloudflare.net. A HINFO TXT AAAA LOC SRV NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 TYPE65 SPF URI CAA cloudflare.net. 757 IN SOA ns1.cloudflare.net. dns.cloudflare.com. 1634858195 10000 2400 604800 3600 cloudflare.net. 757 IN RRSIG SOA 13 2 3600 20211023001635 20211020221635 34505 cloudflare.net. 26pedBEBsFVlmfTuhLGYHOsu0Zzdv5yEqHRCliAF3iOG5GUXb6oTX99+ GtVJ8YcWYShwXdJzuMD7hkDvCVgD+Q== ``` The returned NSEC record shows that `www.ietf.org.cdn.cloudflare.net.` exist, but NSEC record does not cover MX type, therefore, there is no data for the MX record. 2. Name Error ``` dig wwwwwwww.ietf.org. AAAA +dnssec +cdflag +tcp ;; QUESTION SECTION: ;wwwwwwww.ietf.org. IN AAAA ;; AUTHORITY SECTION: ietf.org. 770 IN SOA ns0.amsl.com. glen.amsl.com. 1200000537 1800 1800 604800 1800 ietf.org. 770 IN RRSIG SOA 5 2 1800 20221019014909 20211019005139 40452 ietf.org. GUaWdfXoPWOjb+/1w5Dtn8VoeemBYXdDIQui365JuuIBkEC4YKFLb+m+ u8YJ+cbnTzDb768HkTX8AbWaupZVR2FLn2r06hf6YruVi5jRjzExYLQ6 22Rn8TCvNpNRBZ7fyEcBd9m3aacGr+2iBXgYL9QRXag0tSAAW5oxjI8H CcQLLylwGKDvQv2sNIQLxZlkYFXa+swBOuFQdT8MmymOKjV1d+p3s+S0 1HdUb7JAR2vTK/UVib5zfyXGiQcpD6F3XOQNVTY2dgc2ywAqoudANVmz Rm9rql12MALn2hu5HwrfC0djzXxo6Ry8I0KLmRtAsDoz4ie95Oh1Bnt4 qUhJLA== ietf.org. 770 IN RRSIG NSEC 5 2 1800 20221019015032 20211019005139 40452 ietf.org. PiCNEGBSBbC/ALNR5ebDwk1wQGMH/l6MtV5ZAGYl9M1wf43NrqHapDlU AP2E07FsPIyo9PcWui67PidLgVA4e0rRJbyHK2B92tEeprZbxSOCeIFi NWiLl1oCZt+IQCCnFlzJkbwk2MWOVRYxUdQfmWk0QZZZtRr1c/i4VwPU MAVqCORkGpc6W6LLiTITLphe7X0NHb7e41n8J06tPh1a6GmRYRJCy41c F26Bf6GcEJBpNTvlNuirimbhvjL4Ax+FHBe5MA/Tjp4K1AeUIA0ibBVI 20o14zUqSsph67/Snz9fdpJ/dsvP9QwTNLTKR6Jxofi/ArWEBEheXsm+ pkZTRA== ietf.org. 770 IN NSEC _dmarc.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF wwwtest.ietf.org. 770 IN RRSIG NSEC 5 3 1800 20221019015021 20211019005139 40452 ietf.org. regwKawm6O9BAaHVyBICHjPlGiwDWoXO8OaqH4zJOOgAglrAMXajbEmx XHJsbq3DVEVGkU8NSQJxmGYjklyKzmMbIBpt7+RaXKT7WIGd/zRjSlnI gWSztB6gWTMQq98vQKeFgrt5X8a10p6C36gtJh5sGFq8FpiAvKoKuGO8 tyWKxux7pEQhlhTySr7ipRe8qmGDpy4H+8bkGqvJ7UJ0f3A366bZyD2Q XLdTG4DUrNWt8wKK0FiL2851PegU8FdQb0IXOlBHNF6qXiKCIhBLbK4W 3O3UYKsNLhYPBYuWNGZQ2mlEsfgUC9ddBU1trmMEObm3E+1tR/jemSYA uF+S7Q== wwwtest.ietf.org. 770 IN NSEC xml2rfc.ietf.org. CNAME RRSIG NSEC ``` The returned NSEC records show that both `wwwwwwww.ietf.org.` and `*.ietf.org.` do not exist, therefore it is a name error. --- However, it is very hard to find examples for case 3 and case 4: 3. Wildcard Answer 4. Wildcard No Data. It requires the zone to be configured with the wildcard record, and the zone is signed with DNSSEC. One example I can find but not what I want is: ``` dig "*.cloudflare.com." NSEC +dnssec +cdflag +tcp ``` The response is ``` ;; QUESTION SECTION: ;*.cloudflare.com. IN NSEC ;; ANSWER SECTION: *.cloudflare.com. 300 IN NSEC \000.*.cloudflare.com. RRSIG NSEC *.cloudflare.com. 300 IN RRSIG NSEC 13 2 300 20211023002134 20211020222134 34505 cloudflare.com. D06CbZi5aXMm55fhhqbQNKqGmE0euonIGE8hcVFvIbdqIbZ2d6JnkeWN k76JTLMphqS1KOGVIkI58xoChnxrMQ== ``` Which seems like a wildcard response. However, when I send query for some name I think that would match the wildcard, a non-wildcard response is sent back: ``` dig "IThinkItShouldNeverExist.cloudflare.com." NSEC +dnssec +cdflag +tcp ; <<>> DiG 9.10.6 <<>> IThinkItShouldNeverExist.cloudflare.com. NSEC +dnssec +cdflag +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19174 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;IThinkItShouldNeverExist.cloudflare.com. IN NSEC ;; ANSWER SECTION: IThinkItShouldNeverExist.cloudflare.com. 300 IN NSEC \000.ithinkitshouldneverexist.cloudflare.com. RRSIG NSEC IThinkItShouldNeverExist.cloudflare.com. 300 IN RRSIG NSEC 13 3 300 20211023002429 20211020222429 34505 cloudflare.com. FbjDF2mF4pQrGJTDS/Ylo3ObhmrQUN7Jw601m/hz2A9nO4ZzOXfTR5ue G1CKy37Q9NuX7zBm8qyCnQbntO/q6w== ;; Query time: 4 msec ``` Note that the `labels` field of RRSIG is 3 instead of 2 for the wildcard answer, which means this record is created by using online signing, I guess? Therefore it is not what I expect to see. --- Could you give me some real world examples that contain DNSSEC Secure `Wildcard Answer` or `Wildcard No Data` as described by [RFC4035 3.1.3. Including NSEC RRs in a Response](https://datatracker.ietf.org/doc/html/rfc4035#section-3.1.3)? Thanks. -- Joey Deng _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
