[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: zone-covering NSEC ranges -- "which is it?"
On Tuesday 15 June 2004 4:37 am, Olaf M. Kolkman wrote:
> On Mon, 14 Jun 2004 21:08:36 +0000
>
> Paul Vixie <paul@vix.com> wrote:
> > i asked this in an earlier message but it was lost in the haze of a
> > larger discussion. here are two NSEC RRs, more or less.
> >
> > #1: @ NSEC (SOA NS ...) @
> >
> > #2: X NSEC (...) X
> >
> > there are two visible differences between them: one says there's an SOA
> > and NS at the ownername (@), the other does not (X). and one's owner
> > and target names are "@" (the zone apex) and the other's owner and target
> > name is "X" (not the zone apex).
>
> Having read the other mails.
>
> The mention of circularity is unambiguously mentioned in records 4.1.1.
>
> The value of the Next Domain Name field in the last NSEC record in
> the zone is the name of the zone apex
> special cases->special treatment->new corner cases->more delay.
I will note that -protocol-06 is missing language for handling this last
record NSEC case. From -protocol-06, section 5.4:
o If the requested RR name would appear after an authenticated NSEC
RR's owner name and before the name listed in that NSEC RR's Next
Domain Name field according to the canonical DNS name order
defined in [I-D.ietf-dnsext-dnssec-records], then no RRsets with
the requested name exist in the zone.
(This is the first sentence of the second bullet in this section. I couldn't
find any other more relevant text in the draft).
This may present an Opportunity to define the interpretation of this case of
NSEC records in a way advantageous to a "white lies" strategy. Or perhaps
not.
--
David Blacka <davidb@verisignlabs.com>
Sr. Engineer VeriSign Applied Research
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>