On Tue, Jul 27, 2021 at 8:46 PM Brian Dickson <[email protected]> wrote:
> On Tue, Jul 27, 2021 at 4:35 PM Shumon Huque <[email protected]> wrote: > >> Folks, >> >> While we have the attention of DNSOP folks this week, I'd like to ask for >> review of this draft (I meant to send it earlier in time for f2f discussion >> on Tuesday, but better late than never). >> >> >> https://datatracker.ietf.org/doc/html/draft-huque-dnsop-blacklies-ent-01 >> >> > That's interesting, and I'm definitely in favor of continuing this work. > > A couple of quick questions: > > - Are there distinctions between NSEC and NSEC3, where ENTs and/or > negative proofs result in different response sets? > > I'm not sure I entirely understood your question, but for a specific authenticated denial of existence mechanism (NSEC, NSEC3, NSEC/3 White Lies, Black Lies) the response set should be the same. They will differ between those mechanisms though. In NSEC, an ENT response would contain 1 NSEC record that covers the ENT. In NSEC3, the ENT response would contain 1 NSEC3 record that matches the hash of the ENT. In Blacklies, the ENT response contains 1 NSEC record that matches the ENT. > - Would it make sense to include the synthetic ENT RR as an actual RR > in the unsigned zones for such names (i.e. which, absent this record, would > be ENTs)? > > So that you can easily distinguish ENTs in unsigned zones? I guess that could be of possible use, but I'm not sure how compelling that would be. For me, the goal of this draft is not necessarily to be able to detect ENTs, but to precisely distinguish non-existent names from existing names (of which ENTs are a subset). > - Does it make sense to harmonize the resulting answers across both > "black lies" and pre-signed zones? > - That harmonizing might be advisable and/or necessary in a > multi-signer universe where one provider is statically signing, and the > other is dynamically signing > > Harmonizing the negative answers? Despite their differences, mixing different denial of existence mechanisms in a multi-signer configuration shouldn't cause any issues. We describe why in RFC 8901, Section 5, although mixing online and pre-computed signing will reduce the efficiency of mechanisms like aggressive negative caching. Presumably this would get added to the set of types that must not co-exist > with any other type, and must be singletons. > Yes, but this is really a pseudo type that is only conveyed in a type bitmap, and ENTs by definition have no record types associated with them otherwise - the answer section is always empty. If you query the synthetic type itself, it returns a response without itself in the type bitmap (so it looks like a NODATA). That may seem mildly paradoxical in that it denies its own existence. But we already have a precedent for such behavior in DNSSEC - recall the famed "NSEC3 paradox" :) Shumon.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
