A few weeks ago, I came across a blog post describing a "security hole" in so-called "NSEC Aggressive Use" implementations.
https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be After some exchanges of email with the blog author, I (probably not alone, but not wanting to speak for anyone else) came to a conclusion that there's a conflict between the documents "Aggressive Use of DNSSEC-Validated Cache" [1] and "The Role of Wildcards in the Domain Name System" [2]. In the latter document, this text appears in " NSEC RRSet at a Wildcard Domain Name" (section 4.7): # "Synthesized NSEC RRs will not be harmful as they will never be used in # negative caching or to generate a negative response [RFC2308]." From this, the former document ought to list it as updating the latter document, and explain how. This seems (said without confirming) to be the origin of the implementation difficulties. I tried (once, a while ago) to contact the editors of the "Aggressive Use" document, but haven't gotten a response. Suggestions? [1] https://www.rfc-editor.org/rfc/rfc8198.txt [2] https://www.rfc-editor.org/rfc/rfc4592.txt _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
