On Mon, Jan 17, 2022 at 9:04 AM Ulrich Wisser via dns-operations < [email protected]> wrote:
> > ---------- Forwarded message ---------- > From: Ulrich Wisser <[email protected]> > To: Mark Andrews <[email protected]> > Cc: Shreyas Zare <[email protected]>, Greg Choules via > dns-operations <[email protected]> > Bcc: > Date: Mon, 17 Jan 2022 15:01:36 +0100 > Subject: Re: [dns-operations] DNSSec validation issue for .se (missing > denial of existence for *.se) > This is of course very interesting for us (at .se). > I tried this with all our dns servers and all give the same answer. > But I tend to agree that a proof for the non existence of the wildcard > should be there. > > I am thinking of a domain setup as: > > *.example.com. TXT “wildcard” > 0.example.com. TXT “zero” > test.a.example.com. TXT “test.a” > > What answer should “dig +dnssec a.example.com txt” give? > > I would say “wildcard”. And if that is the case, shouldn’t it then send an > extra sec in case there is no wildcard record? > Actually, no Ulrich, a query for "a.example.com" in your example will not match the wildcard, since the node "a.example.com" positively exists (as an empty non-terminal with a descendant node, test.a.example.com, that has data). The DNS name matching algorithm is label by label inspection from the top down (see RFC 1034, Section 4.3.2). c. If at some label, a match is impossible (i.e., the corresponding label does not exist), look to see if a the "*" label exists. (At this stage in your example, a match is found) Hence, no wildcard non-existence proof is needed. Those are needed only for NXDOMAIN responses, where we you have to additionally prove that although the name did not explicitly exist, a response for it could not have been synthesized by a wildcard. Shumon.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
