> On 1 Dec 2021, at 19:54, Vladimír Čunát <vladimir.cunat+i...@nic.cz> wrote: > > On 01/12/2021 09.35, Mark Andrews wrote: >> Also stop hiding this breakage. Knot and unbound ignore the NSEC records >> which trigger this when synthesising. > > Knot Resolver stopped treating minimally-covering NSEC* aggressively, but > there are *two* different reasons. > > 1) breakages like this. We hard-enabled aggressivity for NSEC and NSEC3 in > 2018; at that point we felt very much in minority, and it was hard to > convince others that it's them who's doing it wrong (say, F5 customers). > > 2) low benefits of aggressive caching in this case. When the range covers > basically a single name, the possible positive effect is very limited. There > are negative non-breaking effects as well, e.g. caching of approaches like > [black-lies]. You also need to weight the (negligible) benefits against > (small-ish) costs of aggressive cache-searching. > > [black-lies] https://blog.cloudflare.com/black-lies/
Accepting 'QNAME NSEC \000.QNAME NSEC RRSIG’ (and other type maps) protects you from random QTYPE attacks. It also makes 'black lies' work as intended. The existing synth-from-dnssec code in BIND doesn’t treat this pattern as special. I’m arguing that special code for this isn’t needed and if it put in it would be removed in the next production release cycle. As for F5 we had been reporting issues like this as well. That said I believe they now have published work around instructions for the old servers (add A and/or AAAA records to the backing zones to generate the correct NSEC typemap) and the new code you specify the type list for NSEC / NSEC3. Presumably F5 add A and AAAA as appropriate to this if they are missing. Hopefully HTTPS soon. The issues with zone enumeration have been grossly exaggerated. For most zones on the Internet there is no benefit in preventing enumeration and only costs as you leave yourself exposed to reflected random subdomain attacks. > --Vladimir > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
