On Thu, Oct 8, 2020 at 8:59 PM Shumon Huque <[email protected]> wrote:
> On Thu, Oct 8, 2020 at 7:46 PM Nick Johnson <nick= > [email protected]> wrote: > >> I'm reading RFC 5155, and I'm a bit puzzled by the requirement for >> "closest encloser" proofs to prove nonexistence of a domain. Given that the >> RFC requires generating NSEC3 records on empty non-terminals, isn't it >> sufficient to examine a single NSEC3 record to prove nonexistence? >> >> For example, if I want to prove the nonexistence of a.b.c.example, isn't >> it sufficient to validate an NSEC3 record that covers that name and is one >> level higher (eg, somehash.b.c.example)? Why do I need to prove the >> closest-encloser with a second NSEC3 record? >> >> -Nick Johnson >> > > The closest encloser proof actually *is* what proves that the name doesn't > exist. But the other reason is that for NXDOMAIN proofs, you also need to > prove that the name could not have been synthesized by a wildcard. The > hypothetical wildcard that might have synthesized a response for the name > is constructed by prepending the asterisk label to the closest encloser. > > Let's use your example and say 'a.b.c.example' doesn't exist in the zone > example. > > Let's also say the longest ancestor of this name that actually does exist > in the zone is 'c.example' (which could be an empty non-terminal or not -- > either way, it will have an NSEC3 record matching the hash of the name). > One small correction to my sentence above: strike the phrase about empty non-terminals - the closest encloser can't be an ENT of course (otherwise it wouldn't exist either!). Shumon. The NXDOMAIN proof consists of: > > ### Closest Encloser proof: > * the NSEC3 RR that matches the closest encloser name 'c.example' > * the NSEC3 RR that covers the next closer name 'b.c.example' > > This proves that b.c.example does not exist. This automatically means that > all names under it, including a.b.c.example, do not exist. > > ### Wildcard non existence proof: > * the NSEC3 RR that covers the wildcard at the closest encloser, namely > '*.c.example'. > > Shumon Huque > >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
