!@#$!@#$ mail client. a.b.c.d.example A … a.e.c.d.example A …
with QNAME a.c.c.d.example the closest encloser is the ENT c.d.example. > On 9 Oct 2020, at 12:43, Mark Andrews <[email protected]> wrote: > > Shumon, you where correct the first time. A closest encloser can be a ENT > > a.b.c.d.example A ... > a.e.x A ... > > with QNAME a.c.c.d.example the closest encloser is the ENT c.d.example. > >> On 9 Oct 2020, at 12:32, Shumon Huque <[email protected]> wrote: >> >> On Thu, Oct 8, 2020 at 8:59 PM Shumon Huque <[email protected]> wrote: >> On Thu, Oct 8, 2020 at 7:46 PM Nick Johnson >> <[email protected]> wrote: >> I'm reading RFC 5155, and I'm a bit puzzled by the requirement for "closest >> encloser" proofs to prove nonexistence of a domain. Given that the RFC >> requires generating NSEC3 records on empty non-terminals, isn't it >> sufficient to examine a single NSEC3 record to prove nonexistence? >> >> For example, if I want to prove the nonexistence of a.b.c.example, isn't it >> sufficient to validate an NSEC3 record that covers that name and is one >> level higher (eg, somehash.b.c.example)? Why do I need to prove the >> closest-encloser with a second NSEC3 record? >> >> -Nick Johnson >> >> The closest encloser proof actually *is* what proves that the name doesn't >> exist. But the other reason is that for NXDOMAIN proofs, you also need to >> prove that the name could not have been synthesized by a wildcard. The >> hypothetical wildcard that might have synthesized a response for the name is >> constructed by prepending the asterisk label to the closest encloser. >> >> Let's use your example and say 'a.b.c.example' doesn't exist in the zone >> example. >> >> Let's also say the longest ancestor of this name that actually does exist in >> the zone is 'c.example' (which could be an empty non-terminal or not -- >> either way, it will have an NSEC3 record matching the hash of the name). >> >> One small correction to my sentence above: strike the phrase about empty >> non-terminals - the closest encloser can't be an ENT of course (otherwise it >> wouldn't exist either!). >> >> Shumon. >> >> The NXDOMAIN proof consists of: >> >> ### Closest Encloser proof: >> * the NSEC3 RR that matches the closest encloser name 'c.example' >> * the NSEC3 RR that covers the next closer name 'b.c.example' >> >> This proves that b.c.example does not exist. This automatically means that >> all names under it, including a.b.c.example, do not exist. >> >> ### Wildcard non existence proof: >> * the NSEC3 RR that covers the wildcard at the closest encloser, namely >> '*.c.example'. >> >> Shumon Huque >> >> _______________________________________________ >> DNSOP mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dnsop > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
