On 22. 10. 21 4:34, Joey Deng wrote:
Hello folks,
On [RFC4035 3.1.3. Including NSEC RRs in a
Response](https://datatracker.ietf.org/doc/html/rfc4035#section-3.1.3), it
describes four different cases when NSEC records should be included in a
response:
1. No Data
2. Name Error
3. Wildcard Answer
4. Wildcard No Data.
I am trying to find real world examples to help me better understand the cases
above, I found some examples for case 1 and case 2:
1. No Data
```
dig www.ietf.org.cdn.cloudflare.net. MX +dnssec +cdflag +tcp
Beware, DNS responses from Cloudlare are not exactly "canonical" because
Cloudflare is using so-called black-lies:
https://blog.cloudflare.com/black-lies/
It is a valid approach, but not the thing you read about in the RFC 403x
series.
For responses "as usual" have a look at these answers:
> 1. No Data
isc.org WKS
> 2. Name Error
surelynonexistentname.isc.org A
> 3. Wildcard Answer
surelynonexistentname.blog.root.cz A
> 4. Wildcard No Data.
surelynonexistentname.blog.root.cz WKS
Here is another another set of examples for NSEC3 (RFC 5155):
> 1. No Data
nic.cz WKS
> 2. Name Error
surelynonexistentname.nic.cz A
> 3. Wildcard Answer
surelynonexistentname.pages.nic.cz A
> 4. Wildcard No Data.
surelynonexistentname.pages.nic.cz WKS
I hope it helps.
--
Petr Špaček @ ISC
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
