On Fri, 26 Oct 2012, Peter van Dijk wrote:
On Oct 26, 2012, at 15:17 , Paul Wouters wrote:
On Fri, 26 Oct 2012, Peter van Dijk wrote:
nxd IN CNAME nxdomain.example.com.
PowerDNS currently does not generate this NSEC3 but this will be fixed shortly.
You would return an NSEC3 record for a record that actually
exists? That would be a very inconsistent nsec/nsec3 chain.
nxdomain.example.com does not exist.
How would offline signers deal with this? Pregenerate nsec records
for data that _is_ in the zone?
Offline signers would already have generated the NSEC(3) that denies existence
of nxdomain.example.com, simply by virtue of the name not existing in the
zone.
But wouldn't the chain be built based on LHS? Let's check opendnssec:
[root@nohats signed]# ldns-nsec3-hash cname.nohats.ca. -t 5
javgjvs1ictdbmts0fcjome4s37kndg0.
[root@nohats signed]# grep javg nohats.ca
javgjvs1ictdbmts0fcjome4s37kndg0.nohats.ca. 3600 IN NSEC3 1 0 5 - jn89c3qpvavcumn3cv172r7gbu8h6ffs CNAME RRSIG
javgjvs1ictdbmts0fcjome4s37kndg0.nohats.ca. 3600 IN RRSIG NSEC3 8 3 3600 20121109223118 20121026121347 52368 nohats.ca. zjkB06zMPYIAdtGnWoA3wRqe2Fg5y4Y7R21qaQovhqXtijwMQJfukhKA4OWO4oj5DVL/v0WTZRJII64XuAUzVs9RZMAcCuDceR0BdAT5CgjbkvEwgq08/PI06hXvScTjPzFSRPPfRJ3ViAinFDPd2JZHgMkTO9Wen0KkVPH/vhc=
ioukpqjt07l1b83ppfd1grdcc57864ja.nohats.ca. 3600 IN NSEC3 1 0 5 -
javgjvs1ictdbmts0fcjome4s37kndg0 A RRSIG
So cname.nohats.ca is part of the nsec3 chain.
So in some sense, the record "exists". I guess validators would have to
be very careful handling the NXDOMAIN, they might decide it is spoofed
because they have an existing NSEC/NSEC3 entry for it.
Odd corner case.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
