> On Mar 29, 2017, at 10:33 AM, Wei Chuang <[email protected]> wrote:
>
> Why not create an explicit Non-existence of DS (NDS) RR that gets logged
> along with DS and NS?
This is not needed, the NSEC/NSEC3 RRs already serve that role.
For NSEC records (RFC4034), an unsigned delegation looks like:
example.com. IN NS ns1.example.com.
example.com. IN NSEC examplf.com NS
example.com. IN RRSIG NSEC ...
this proves that NS (or other depending on the content of the type
bitmap of the NSEC record) records exist for example.com, but DS
records do not.
With NSEC3 (rfc5155), and the "opt-out" bit the situation can be
more complex because the answer may not establish the existence of
example.com. Instead we may get an existence proof for the closest
encloser (ancestor domain) and proof that "example.com" is not signed,
but no proof of its existence. This means that to avoid spam, a log
might want to independently verify the existence of the insecure
delegation by repeating the query, so as to avoid storing data for
non-existent domains with the insecure NXDOMAIN modified to NOERROR
with made up NS records.
--
Viktor.
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
