On Wed, Jul 26, 2023 at 11:05 PM Edward Lewis <edward.le...@icann.org> wrote:
> [...] > In some sense, this proposal is establishing a (set of) wildcard(s) > (source[s] of synthesis) that owns just an NSEC record when it applies to > otherwise NXDOMAIN responses. Mulling this over, it becomes apparent that > the next name field in the NSEC record is a problem - wildcards allow for > the inclusion of an owner name pulled from the query (and DNSSEC > accommodates that via the label count) but there is no process for > modifying the RDATA in a synthesized record. The lack of a process for > modifying the RDATA means that "this is something entirely new". > > I think that signing on the fly is a great idea. But when DNSSEC was > defined, and specifically here the NSEC record, it was assumed that DNSSEC > records would be generated on machines air-gapped from the network because > the state of the art in host security was simply poor. This forced the > design to take on an approach of showing the querier "here's what I do > have, you can deduce that your request has no answer (NXDOMAIN)". With > signing on the fly, that approach makes no sense - you should be able to > send a tailored response. > > A tailored response, i.e., "there's no name matching the QNAME", means > there's no need to mention the next name. This would be great - no need to > sort the zone, no need to assist zone walking, etc. The NSEC record is > just not built for that though, it's an entirely ill-fit. > Yes, certainly a different design would have been possible if online signing was a primary use case. But I think NSEC and its minimally covering variant(s) probably do a reasonable job of catering to both pre-computed and online signing models today. I doubt there is an appetite for a larger redesign at this point. In regard to your observations on wildcards, I don't have a direct comment to add -- but I do want to point out that Compact DoE handles wildcards quite differently, and this may not be readily apparent to the casual observer. In this system, a wildcard is not a DNS protocol element that is exposed in the wire protocol, but just an internal response provisioning instruction. Compact DoE implementations pretend that every name that matches a wildcard explicitly existed in the zone and generate an on-the-fly proof for that. This obviates the need to provide an NSEC record in the response that proves that no closer match than the wildcard is possible, and is a simplification enabled by online signing. Some details in: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-compact-denial-of-existence-00#name-responses-for-wildcard-matc Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
