Re: [dns-operations] Looking for zones using white lies (RFC 4470)
shuque> The UltraDNS implementation doesn't use the more precise white shuque> lies epsilon function defined in the spec, but it is probably shuque> good enough for all practical purposes. shuque> And it's much closer to white lies than "black" lies, because it shuque> preserves the correct semantics of NXDOMAIN. That's actually a pretty good summary already. Basically a "loose" white lies that was computationally less intensive while trying to be as close to the RFC as was practical. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
On Fri, Jan 27, 2023 at 11:16 AM Paul Ebersman < list-dns-operati...@dragon.net> wrote: > shuque> UltraDNS (Neustar Security Services) is known to use NSEC White > shuque> Lies. I have a test zone there, > > shuque> which you can examine: "[[ultratest.huque.com]]". > > My recollection is that the NSS implementation is really grey lies, > i.e. not quite RFC white lies but not fully black like cloudflare. > Paul - what's the definition of "grey lies"? The UltraDNS implementation doesn't use the more precise white lies epsilon function defined in the spec, but it is probably good enough for all practical purposes. And it's much closer to white lies than "black" lies, because it preserves the correct semantics of NXDOMAIN. Shumon. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
shuque> UltraDNS (Neustar Security Services) is known to use NSEC White shuque> Lies. I have a test zone there, shuque> which you can examine: "[[ultratest.huque.com]]". My recollection is that the NSS implementation is really grey lies, i.e. not quite RFC white lies but not fully black like cloudflare. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
On Fri, Jan 27, 2023 at 3:39 AM Stephane Bortzmeyer
wrote:
> On Fri, Jan 27, 2023 at 12:19:18AM -0500,
> Viktor Dukhovni wrote
> a message of 30 lines which said:
>
> > Three sample zones:
>
> They all seem to use black lies, not white lies.
>
I took a quick look:
* herokudns.com is definitely "black" ("minimal"?) lies, hosted on NS1,
which uses that method.
* cfcualerts.com appears to use normal pre-computed NSEC3.
* technohazard.io - no idea; my attempts at eliciting negative responses
result in SERVFAIL.
UltraDNS (Neustar Security Services) is known to use NSEC White Lies. I
have a test zone there,
which you can examine: "ultratest.huque.com".
$ dig +dnssec foobar.nxd.ultratest.huque.com. A +noall +authority
!~.nxd.ultratest.huque.com. 1792 IN RRSIG NSEC 13 5 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
q+TWfjkPmlWs/xVBsZu3kiWyhUqcZJWjq2U28BVoLcT8kCacqjRF1NKM
qEss4HsL9VxpAlq7AfRarczZwNtBaA==
!~.nxd.ultratest.huque.com. 1792 IN NSEC-.nxd.ultratest.huque.com.
RRSIG NSEC
foobaq~.nxd.ultratest.huque.com. 1792 IN RRSIG NSEC 13 5 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
UM1w+ZxUTUXCZ/T8xD5cOHOgrJaBHJM7UPFTOs4UlMjkbRcK3L7eEn8M
/36nCgTfQNk+cllamUqr5CJ+FuUDFw==
foobaq~.nxd.ultratest.huque.com. 1792 IN NSEC foobar!.
nxd.ultratest.huque.com. RRSIG NSEC
ultratest.huque.com.1792IN SOA dns01.salesforce.com.
hostmaster.salesforce.com. 2019101692 1800 900 2592000 1800
ultratest.huque.com.1792IN RRSIG SOA 13 3 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
6nhsLNAUv0TYiA6Gp0evnicallUmMEsr0T9qK3GvmkxVy+8FC9v2DsUR
rp+o7/QMjKl+dvYncQcIspRZmUlgZw==
Shumon.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
On Fri, Jan 27, 2023 at 12:19:18AM -0500, Viktor Dukhovni wrote a message of 30 lines which said: > Three sample zones: They all seem to use black lies, not white lies. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
