On Wed, Oct 27, 2021 at 04:09:01PM -0700, Joey Deng wrote:
> Thanks for the detailed response. I think the 'closest encloser’ proof
> is what I am missing here. It is weird that none of the DNSSEC RFCs
> talk about the closest encloser of NSEC (or maybe I am not aware about
> it).
Perhaps it was supposed to be "more obvious", given that none of the
names are hashed.
> > The closest encloser is then the longest domain equal to or
> > containing both endpoints of the NSEC pair.
>
> There are two names in the NSEC record:
> 1. Current owner name
> 2. Next owner name
>
> By saying “longest domain equal to or containing”, do you mean:
> The longest common name of the current owner name and the next owner name.
I forgot to consider that one or the other end the pair may prove
existence of an ancestor of the qname that lies below their *common*
ancestor. This is then instead the closest encloser. I was thinking
of a tree that looked like the below, with "L" the left end of the
NSEC pair, "R" the right end, "Q" the qname and "C" the closest
encloser:
C
/|\
/ | *
* | \
/ * \
/ | R
L |
Q
but instead we can have either of:
x x
/ \ / \
/ * / C
C \ * / \
/ \ \ / / \
/ * R / * R
L \ L /
Q Q
> ;subdomain.data.wildcard.dnssec.qdeng.io. IN MX
>
> ;; AUTHORITY SECTION:
> qdeng.io. 3601 IN SOA pdns1.registrar-servers.com.
> hostmaster.registrar-servers.com. 1635297699 43200 3600 604800 3601
> *.wildcard.dnssec.qdeng.io. 3601 IN NSEC a.wildcard.dnssec.qdeng.io.
> AAAA RRSIG NSEC
> a.wildcard.dnssec.qdeng.io. 3601 IN NSEC dnssed.qdeng.io. AAAA RRSIG NSEC
Here we see that "wildcard.dnssec.qdeng.io" exists, because its "a"
subdomain exists, so this is the closest encloser. Sorry for the
error in my previous post.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
