On Thu, Oct 8, 2020 at 7:46 PM Nick Johnson <nick= [email protected]> wrote:
> I'm reading RFC 5155, and I'm a bit puzzled by the requirement for > "closest encloser" proofs to prove nonexistence of a domain. Given that the > RFC requires generating NSEC3 records on empty non-terminals, isn't it > sufficient to examine a single NSEC3 record to prove nonexistence? > > For example, if I want to prove the nonexistence of a.b.c.example, isn't > it sufficient to validate an NSEC3 record that covers that name and is one > level higher (eg, somehash.b.c.example)? Why do I need to prove the > closest-encloser with a second NSEC3 record? > > -Nick Johnson > The closest encloser proof actually *is* what proves that the name doesn't exist. But the other reason is that for NXDOMAIN proofs, you also need to prove that the name could not have been synthesized by a wildcard. The hypothetical wildcard that might have synthesized a response for the name is constructed by prepending the asterisk label to the closest encloser. Let's use your example and say 'a.b.c.example' doesn't exist in the zone example. Let's also say the longest ancestor of this name that actually does exist in the zone is 'c.example' (which could be an empty non-terminal or not -- either way, it will have an NSEC3 record matching the hash of the name). The NXDOMAIN proof consists of: ### Closest Encloser proof: * the NSEC3 RR that matches the closest encloser name 'c.example' * the NSEC3 RR that covers the next closer name 'b.c.example' This proves that b.c.example does not exist. This automatically means that all names under it, including a.b.c.example, do not exist. ### Wildcard non existence proof: * the NSEC3 RR that covers the wildcard at the closest encloser, namely '*.c.example'. Shumon Huque
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
