[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Empty non-terminals and NSEC records

To: Erik Rozendaal <erik@NLnetLabs.nl>
Subject: Re: Empty non-terminals and NSEC records
From: Mark.Andrews@isc.org
Date: Thu, 04 Dec 2003 08:28:18 +1100
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Wed, 03 Dec 2003 15:49:07 BST." <3FCDF7E3.8070608@nlnetlabs.nl>

> The example zone in the draft-ietf-dnsext-dnssec-protocol-03.txt document 
> contains the following records (among others and excluding RRSIG records):
> 
>     ns2.example.   3600 IN A   192.0.2.2
>                    3600 NSEC   *.w.example. A RRSIG NSEC
>     *.w.example.   3600 IN MX  1 ai.example.
>                    3600 NSEC   x.w.example. MX RRSIG NSEC
> 
> Notice there are no RRs for the w.example. domain, making it an empty 
> non-terminal.  According to the original DNS RFCs empty non-terminals do 
> exist (in other words, querying for w.example. will not result in NXDOMAIN 
> but in NODATA).
> 
> However, the signed version does not include proper NSEC records for 
> w.example.  Is this intentional and expected behaviour?
> 
> Erik

	You don't need a NSEC record to know that w.example exists.
	You can prove that it exist with this NSEC record.

	ns2.example. NSEC *.w.example. A RRSIG NSEC

	The above record proves that "ns2.example.", "*.w.example.",
	"w.example.", "example." and "." exist.

	It also proves that "ns2.example." and "*.w.example." contain
	data.  It also proves what data exists at "ns2.example.".

	It also proves that "w.example." is empty.

	It does not say whether "example" or "."  contain data or not.

	Note "example." is the common subdomain of the two domains in
	the record.

	Note "w.example." is a interior domain between the common
	subdomain and the next domain name.  Interior domains between
	the common subdomain and the next domain name are always
	empty.

	Mark

> 
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Empty non-terminals and NSEC records
  - From: Erik Rozendaal <erik@NLnetLabs.nl>

Prev by Date: Re: nsec++
Next by Date: Re: List administration
Previous by thread: Re: Empty non-terminals and NSEC records
Next by thread: List administration (fwd)
Index(es):
- Date
- Thread