Re: zone-covering NSEC ranges -- "which is it?"

[Roy Arends <roy@dnss.ec>]

On Mon, 14 Jun 2004, Paul Vixie wrote:

> > I had been assuming the second possible answer, given that RFC2535
> > said (5.1):
> >
> >    There is a potential problem with the last NXT in a zone as it
> >    wants to have an owner name which is the last existing name in
> >    canonical order, which is easy, but it is not obvious what name to
> >    put in its RDATA to indicate the entire remainder of the name
> >    space.  This is handled by treating the name space as circular and
> >    putting the zone name in the RDATA of the last NXT in a zone.
> >
> > However it appears that DNSSECbis makes no similar statement about a
> > circular name space.
>
> not only that, the circularity is only by mention, not in fact.  it does
> not say that putting your own owner name in as the target name works;
> rather, that the zone name (or apex, or @ in my example) is special cased.

-records draft:

4.1.1  The Next Domain Name Field

   The Next Domain Name field contains the owner name of the next
   authoritative owner name in the canonical ordering of the zone; see
*  Section 6.1 for an explanation of canonical ordering.  The value of
*  the Next Domain Name field in the last NSEC record in the zone is the
*  name of the zone apex (the owner name of the zone's SOA RR).

The circularity is by fact, and @ NSEC @ is by implication:

If the last NSEC record is the only (i.e. also the first, or APEX) NSEC,
it has its owner name in the Next Domain Name field.

Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>