On Fri, Oct 9, 2020 at 1:59 PM Shumon Huque <[email protected]> wrote:
> On Thu, Oct 8, 2020 at 7:46 PM Nick Johnson <nick= > [email protected]> wrote: > >> I'm reading RFC 5155, and I'm a bit puzzled by the requirement for >> "closest encloser" proofs to prove nonexistence of a domain. Given that the >> RFC requires generating NSEC3 records on empty non-terminals, isn't it >> sufficient to examine a single NSEC3 record to prove nonexistence? >> >> For example, if I want to prove the nonexistence of a.b.c.example, isn't >> it sufficient to validate an NSEC3 record that covers that name and is one >> level higher (eg, somehash.b.c.example)? Why do I need to prove the >> closest-encloser with a second NSEC3 record? >> >> -Nick Johnson >> > > The closest encloser proof actually *is* what proves that the name doesn't > exist. But the other reason is that for NXDOMAIN proofs, you also need to > prove that the name could not have been synthesized by a wildcard. The > hypothetical wildcard that might have synthesized a response for the name > is constructed by prepending the asterisk label to the closest encloser. > > Let's use your example and say 'a.b.c.example' doesn't exist in the zone > example. > > Let's also say the longest ancestor of this name that actually does exist > in the zone is 'c.example' (which could be an empty non-terminal or not -- > either way, it will have an NSEC3 record matching the hash of the name). > > The NXDOMAIN proof consists of: > > ### Closest Encloser proof: > * the NSEC3 RR that matches the closest encloser name 'c.example' > * the NSEC3 RR that covers the next closer name 'b.c.example' > Right; what I don't follow is why the second of those two proofs isn't sufficient. Doesn't that alone prove that a.b.c.example doesn't exist? > > This proves that b.c.example does not exist. This automatically means that > all names under it, including a.b.c.example, do not exist. > > ### Wildcard non existence proof: > * the NSEC3 RR that covers the wildcard at the closest encloser, namely > '*.c.example'. > > Shumon Huque > >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
