On Mon, Jan 6, 2025 at 4:42 PM Ben Schwartz <bemasc= 40meta....@dmarc.ietf.org> wrote:
> DNSSEC* makes this clear. Otherwise, I don't believe it is revealed. > > --Ben Schwartz > > *When using classic offline signing. > Yes, classic (pre-computed signature) DNSSEC definitely reveals wildcards. Online signing may or may not depending on the implementation. Classic White Lies implementations typically do reveal wildcards (at least most of them I've encountered). Compact Denial of Existence implementations typically don't -- they only treat the wildcard as dynamic response creation instruction, and produce an online signature claiming that the full query name actually existed in the zone, thereby avoiding the need to include an NSEC record that demonstrates no closer match than the wildcard was possible. This does impose a cost though, by preventing resolvers from synthesizing wildcard answers from an authoritative server response. Shumon.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
