Indeed Mark! I should have thought about the general case, and not the specific example in my mail. Thanks for correcting me! :)
Shumon. On Thu, Oct 8, 2020 at 9:43 PM Mark Andrews <[email protected]> wrote: > Shumon, you where correct the first time. A closest encloser can be a ENT > > a.b.c.d.example A ... > a.e.x A ... > > with QNAME a.c.c.d.example the closest encloser is the ENT c.d.example. > > > On 9 Oct 2020, at 12:32, Shumon Huque <[email protected]> wrote: > > > > On Thu, Oct 8, 2020 at 8:59 PM Shumon Huque <[email protected]> wrote: > > On Thu, Oct 8, 2020 at 7:46 PM Nick Johnson <nick= > [email protected]> wrote: > > I'm reading RFC 5155, and I'm a bit puzzled by the requirement for > "closest encloser" proofs to prove nonexistence of a domain. Given that the > RFC requires generating NSEC3 records on empty non-terminals, isn't it > sufficient to examine a single NSEC3 record to prove nonexistence? > > > > For example, if I want to prove the nonexistence of a.b.c.example, isn't > it sufficient to validate an NSEC3 record that covers that name and is one > level higher (eg, somehash.b.c.example)? Why do I need to prove the > closest-encloser with a second NSEC3 record? > > > > -Nick Johnson > > > > The closest encloser proof actually *is* what proves that the name > doesn't exist. But the other reason is that for NXDOMAIN proofs, you also > need to prove that the name could not have been synthesized by a wildcard. > The hypothetical wildcard that might have synthesized a response for the > name is constructed by prepending the asterisk label to the closest > encloser. > > > > Let's use your example and say 'a.b.c.example' doesn't exist in the zone > example. > > > > Let's also say the longest ancestor of this name that actually does > exist in the zone is 'c.example' (which could be an empty non-terminal or > not -- either way, it will have an NSEC3 record matching the hash of the > name). > > > > One small correction to my sentence above: strike the phrase about empty > non-terminals - the closest encloser can't be an ENT of course (otherwise > it wouldn't exist either!). > > > > Shumon. > > > > The NXDOMAIN proof consists of: > > > > ### Closest Encloser proof: > > * the NSEC3 RR that matches the closest encloser name 'c.example' > > * the NSEC3 RR that covers the next closer name 'b.c.example' > > > > This proves that b.c.example does not exist. This automatically means > that all names under it, including a.b.c.example, do not exist. > > > > ### Wildcard non existence proof: > > * the NSEC3 RR that covers the wildcard at the closest encloser, namely > '*.c.example'. > > > > Shumon Huque > > > > _______________________________________________ > > DNSOP mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/dnsop > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
